User Guide

User Guide API Cube API Sysadmin SD Elements Training

Refer to this page for information about version-specific improvements to SD Elements and associated content.

2025.2 | 2025.1 | 2024.4 | 2024.3 | 2024.2 | 2024.1

2025.1

July 5, 2025

New features and enhancements

System View with a compliance report
- The feature flag is enabled by default now, and system view has been extended with a new homepage for compliance reports
  - Users can create one or many compliance reports under an existing system view with a desired regulation assigned, as well as the option to edit, delete, or download that report
Verification Improvement on Checkmarx
- New Global Connector configuration is offered under Checkmarx SAST, allowing users to not retrieve net new scans and skipping already processed scans
Library Threat Framework Mapping Added
- Users will be able to map custom or builtin threats to the support threat framework offerings in SD Elements
- Users can revert updates to reflect latest builtin updates
Advanced Report Updates
- Added Countermeasure Status Update Date as a dimension for filtering for BU/APP/Proj and Countermeasure context (Includes support for Trend Report)
- Added dimensions ‘Updated by’ and ‘Updated Date’ to Library countermeasure for the library countermeasure context
- Added ‘Countermeasure became relevant’ and ‘# of days since relevancy’ dimensions for BU/APP/Proj and Countermeasure context
General Library Improvements
- Ability to expand all related countermeasures on Library Weakness page
- New Filter UI present on Library Threats page
Decommission of unused integrations
- The following Integrations will be removed: Archer, IBM RTC, Pivotal Tracker; HP WebInspect, & Mend
  - Any historical information will be present, but no connections will be present going forward
Removal of legacy Global Report and Training Report
- Replaced with the new functionality of Advanced Reports that gives users more flexibility and configurability

Summary of content updates

CIS Azure Compute Microsoft Windows Server
- Added two compliance regulations reports for Domain Controller and Member Server, 45 Countermeasures, associated Weaknesses and test tasks including 966 How-Tos and associated test.
CIS Azure Foundation
- Added a compliance report with 25 Countermeasures, associated Weaknesses and How-tos.
CIS IBM Cloud
- Added a compliance report with 24 Countermeasures, associated Weaknesses and How-tos.
CIS Kubernetes
- Added two compliance reports with 12 Countermeasures, associated Weaknesses and How-tos.
CIS Amazon EKS
- Updated and added a compliance report with Countermeasures, associated Weaknesses and How-tos.
OWASP Agentic AI
- 12 new Additional Requirements
- 1 new report with 15 sections
- 1 report for OWASP Machine Learning Security Top 10 with 10 sections
- Regulation section mapping
- Survey answer and dependent components
US Privacy Tracker
- 6 new Additional Requirements
- 5 new reports with 15 sections in total
- Regulation section mapping
- Survey answers and dependent components
EN 18031-1
- 29 new countermeasures
- 1 new report for EN 18031-1 with 31 sections
- Regulation section mapping
- Survey answer and dependent components
Mobile Updates (iOS and Android)
- iOS: Added one How-To and one Additional Requirement, updated one Additional Requirement
- Android: Added 2 Countermeasures, 2 corresponding test tasks, associated Weaknesses, and one Additional Requirement
- Updated the titles of 91 How-Tos and 18 Additional Requirements for Android and iOS.
Components & Dependent Components
- Added new components: Azure subscription, JFrog, Apache Kafka, gRPC, Vue.js. , Kubernetes Master and Worker Nodes, Azure Windows Domain Controller and Member Server, IBM Cloud components.
CVSS Scores
- Added CVSS to some Countermeasures with missing CVSS Scores.
Hardware Content Improvements
- Added new Component Answers and added MITRE Hardware Design CWE Compliance report (MITRE CWE VIEW: Hardware Design).
Other improvements
- Made improvements to risk classification answers (diagram), added new answers to the SDE survey to improve applicability of the content, and made improvements to some profiles.
New Just-in-Time Training
- Defending C/C++ (16)
- Secure Software Coding (14)
- Mobile Fundamentals (8)

Content additions and updates (as of June 20, 2025):

Compliance Regulations and Mappings
- Added EN 18031-1 [Experimental]
- Added MITRE CWE VIEW: Hardware Design
- Added US Privacy: Delaware Personal Data Privacy Act
- Added US Privacy: Iowa Consumer Data Protection Act
- Added US Privacy: Nebraska Data Privacy Act
- Added US Privacy: New Hampshire Data Privacy Act
- Added US Privacy: New Jersey Data Privacy Act
- Added OWASP Agentic AI - Threats and Mitigations
- Added OWASP Machine Learning Security Top 10
- Added CIS Benchmark for IBM Cloud Foundations
- Added EN 18031-1
- Added CIS Azure Foundations
- Added CIS Azure Compute Microsoft Windows Server (Member Server)
- Added CIS Azure Compute Microsoft Windows Server (Domain Controller)
- Added CIS Kubernetes (Master Node)
- Added CIS Amazon EKS
- Added CIS Kubernetes (Worker Node)
- Removed CIS AWS Foundations Benchmark
- Removed CIS Amazon EKS Benchmark
- Updated US AI Regulation [INFO: Updated the regulation sections].
Content Packs
- Added IBM Cloud Service
- Added JFrog
- Added EN 18031
- Added CIS Azure Compute Microsoft Windows Server
- Added CIS Azure Foundation
- Added Apache Kafka
- Added gRPC
- Added VueJS
- Added CIS Kubernetes
- Added Amazon EKS CIS
T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services
- TA284: Android - Fingerprint Authentication [Updated]
  - INFO: Updated the title and text.
T10: Use server-to-server authentication [Updated]
- INFO: Updated the text.
T21: Ensure all data in transit is encrypted using a secure TLS channel [Updated]
- INFO: Updated the text.
- TA965: Choice of cipher [Updated]
  - INFO: Updated the text.
T31: Validate all forms of input
- I3039: Sanitize User Input in Vue.js Applications [Added]
T37: Avoid DOM-based Cross-Site Scripting (XSS)
- I3040: Prevent DOM-based XSS in Vue.js applications [Added]
T46: Do not log confidential data
- I406: Android - Logs [Updated]
  - INFO: Updated the title.
T49: Disable and remove debug capabilities and code/data, and prepare application for release [Updated]
- INFO: Updated the text.
- TA281: Android - Preparation for release and final APK [Updated]
  - INFO: Updated the title.
- I414: Android - Preparing application for release [Updated]
  - INFO: Updated the title.
T59: Use standard libraries for cryptography [Updated]
- INFO: Updated the text.
- TA278: Android - Using native cryptography libraries in Android NDK [Updated]
  - INFO: Updated the title.
T60: Use correct and approved cryptographic algorithms, parameters, and key lengths [Updated]
- INFO: Updated the text.
T69: Strong password requirements for server-to-server system accounts
- P687: Insufficient System Account Password Requirements [Updated]
  - INFO: Updated the match conditions.
T75: Use regular expressions that are not vulnerable to Denial of Service
- I3042: Prevent Regular Expression-Based DoS Attacks in Vue.js Applications [Added]
T105: Verify that your application does not have unnecessary debug capability or leftover test/debug code
- TA771: Android - Test the release version of application for debug and test leftovers [Updated]
  - INFO: Updated the title and text.
T146: Use encryption for network communications in mobile environments
- TA945: iOS - App Transport Security (ATS) [Updated]
  - INFO: Updated the title and text.
- I269: Android (Java) - Using encrypted channels [Updated]
  - INFO: Updated the title.
- I293: iOS (Objective-C) - Network Communications Encryption [Updated]
  - INFO: Updated the title.
- I537: iOS (Swift) - Network Communications Encryption [Updated]
  - INFO: Updated the title and text.
- I1392: Android (Kotlin) - Using encrypted channels [Updated]
  - INFO: Updated the title.
T148: Avoid caching confidential data on client
- TA2879: iOS - Client-side caching [Updated]
  - INFO: Updated the title.
- I512: iOS (Objective-C) - Temporary Camera Files [Updated]
  - INFO: Updated the title.
- I536: iOS (Swift) - Temporary Camera Files [Updated]
  - INFO: Updated the title.
- I1408: iOS - Protect against client-side caching [Updated]
  - INFO: Updated the title.
T152: Avoid asking for and using excessive permissions
- I253: Android - Permissions [Updated]
  - INFO: Updated the title and text.
T156: Validate certificate and its chain of trust properly
- I264: Android (Java) - Establishing a secure channel and validating certificates [Updated]
  - INFO: Updated the title.
- I275: iOS (Objective-C) - Certificate Validation - HTTP-based protocols [Updated]
  - INFO: Updated the title.
- I397: Android - WebViewClient [Updated]
  - INFO: Updated the title.
- I510: iOS (Objective-C) - Certificate Validation - Direct SSL [Updated]
  - INFO: Updated the title.
- I531: iOS (Swift) - Certificate Validation - HTTP-based protocols [Updated]
  - INFO: Updated the title.
- I532: iOS (Swift) - Certificate Validation - Direct SSL [Updated]
  - INFO: Updated the title and text.
- I919: iOS - Certificate transparency [Updated]
  - INFO: Updated the title.
T157: Temporary files must be cleaned up after the resource is used
- TA7131: Android - Validating and Securing Cache Usage [Added]
- I267: Android (Java) - Cache Monitor with expiry handling [Updated]
  - INFO: Updated the title.
- I1391: Android (Kotlin) - Cache Monitor with expiry handling [Updated]
  - INFO: Updated the title.
T161: Treat unique device IDs as personal information
- TA280: Android - Unique device IDs [Updated]
  - INFO: Updated the title.
- TA942: iOS - Device Tracking [Updated]
  - INFO: Updated the title.
T162: Validate pathname before retrieving local resources
- I413: Android - Preventing Path Traversal [Updated]
  - INFO: Updated the title.
- I1395: Android (Kotlin) - Preventing Path Traversal [Updated]
  - INFO: Updated the title.
T164: Clear session information from client upon logout
- I3038: Implement Proper Logout Handling in Vue.js [Added]
- I268: Android (Java) – Session cache cleanup on logout [Updated]
  - INFO: Updated the title and text.
- I511: iOS (Objective-C) - Session cleanup [Updated]
  - INFO: Updated the title.
- I529: iOS (Swift) - Session cleanup [Updated]
  - INFO: Updated the title.
T168: Prevent auto-snapshot from saving sensitive data (iOS)
- I254: iOS (Objective-C) - Auto-snapshot Prevention [Updated]
  - INFO: Updated the title.
- I527: iOS (Swift) - Auto-snapshot Prevention [Updated]
  - INFO: Updated the title.
- I1405: iOS - Disable application backgrounding [Updated]
  - INFO: Updated the title.
- I1406: iOS (Objective-C) - Mask sensitive data in the iOS app UI [Updated]
  - INFO: Updated the title.
- I1409: iOS (Swift) - Mask sensitive data in iOS app UI [Updated]
  - INFO: Updated the title.
T170: Secure IPC endpoints used in clients
- I265: Android - Securing IPC Endpoints with Intents [Updated]
  - INFO: Updated the title.
T174: Test that the client application is not asking for excessive permissions
- I277: Android - Black-box testing [Updated]
  - INFO: Updated the title and text.
- I285: Android - White-box testing [Updated]
  - INFO: Updated the title.
T175: Test that the client validates digital certificates
- I278: iOS - Devices or emulators (iPhone/iPad) [Updated]
  - INFO: Updated the title.
- I280: Android - Emulator [Updated]
  - INFO: Updated the title and text.
- I281: Android - Devices [Updated]
  - INFO: Updated the title and text.
T176: Apply principles of privacy when handling personal information
- TA7111: Nebraska DPA [Section 13] [Added]
- TA7113: New Hampshire DPA [Section 507-H:4] [Added]
- TA7114: New Hampshire DPA [Section 507-H:8] [Added]
- TA7116: New Jersey DPA [Section C.56:8-166.12] [Added]
T177: Allow users to review and update their personal information
- TA7115: New Hampshire DPA [Section 507-H:14] [Added]
T178: Obtain consent from users prior to collecting personal information
- TA943: iOS - Purpose String [Updated]
  - INFO: Updated the title.
T187: Test if the app prevents sensitive data leaks through the auto-snapshot feature of iOS
- I303: iOS - Auto-snapshot Prevention Test [Updated]
  - INFO: Updated the title and text.
T189: Minimize the use of unmanaged (native) code
- TA824: Android - Discover and remove illegal syscalls in Android O [Updated]
  - INFO: Updated the title.
T244: Securely delete any unprotected sensitive data before a resource is released or shared
- I270: Android - Secure Management of Sensitive Data [Updated]
  - INFO: Updated the title.
T248: Protect secret keys and passwords in the application
- I272: Android - Using server-side module to store secret keys and passwords for Android applications [Updated]
  - INFO: Updated the title.
- I420: Android (Java) - Secure Key Storage [Updated]
  - INFO: Updated the title.
- I429: iOS (Objective-C) - Using iOS Keychain services for secure data storage [Updated]
  - INFO: Updated the title.
- I535: iOS (Swift) - Using iOS Keychain services for secure data storage [Updated]
  - INFO: Updated the title.
- I1393: Android (Kotlin) - Using server-side module to store secret keys and passwords for Android applications [Updated]
  - INFO: Updated the title.
T261: Manage iOS Pasteboards that are used with sensitive data
- I426: iOS (Objective-C) - Pasteboards [Updated]
  - INFO: Updated the title.
- I525: iOS (Swift) - Pasteboards [Updated]
  - INFO: Updated the title.
T262: Mask passwords by default on mobiles but consider usability options
- I273: iOS (Objective-C) - Inter-App Communication [Updated]
  - INFO: Updated the title.
T265: Handle requests made through iOS URL schemes or Universal Links securely
- I514: iOS (Objective-C) - Universal Links [Updated]
  - INFO: Updated the title.
- I526: iOS (Swift) - Universal Links [Updated]
  - INFO: Updated the title.
- I534: iOS (Swift) - Inter-App Communication [Updated]
  - INFO: Updated the title.
T270: Follow best practices for storing application data on Android devices
- I402: Android - Storage options and considerations [Updated]
  - INFO: Updated the title.
- I1394: Android (Kotlin) - Storage options and considerations [Updated]
  - INFO: Updated the title.
T271: Prevent access to Android components if they do not need external communication
- I404: Android - Disabling external access to Android components [Updated]
  - INFO: Updated the title.
T272: Restrict access to the application's exported components (Android)
- I405: Android - Using Permissions for Access Control [Updated]
  - INFO: Updated the title and text.
- I408: Android - Intent Filters and Explicit Intents [Updated]
  - INFO: Updated the title and text.
- I415: Android - Determining who has requested access to an Android exported component [Updated]
  - INFO: Updated the title.
T275: Avoid sending sensitive data using implicit Intents or Broadcasts
- I403: Android - Avoiding Intent Sniffing [Updated]
  - INFO: Updated the title and text.
T276: Validate the content of received Intents
- I409: Android - Validate input received by Android broadcast receiver [Updated]
  - INFO: Updated the title.
T278: Follow best security practices when using WebView (Android)
- I416: Android - Using WebView Securely [Updated]
  - INFO: Updated the title and text.
T279: Avoid dynamically loading any code without proper security considerations
- TA274: Android - Dynamic class loading [Updated]
  - INFO: Updated the title.
T282: Bind variables in SQL statements for client applications
- I315: Android - SQLite [Updated]
  - INFO: Updated the title and text.
- I709: Android - Bind parameters to content provider query [Updated]
  - INFO: Updated the title.
- I1398: Android (Kotlin) - Bind parameters to content provider query [Updated]
  - INFO: Updated the title.
T295: Avoid storing unencrypted confidential data without access control mechanisms
- I482: iOS (Objective-C) - Data encryption with PBKDF2 [Updated]
  - INFO: Updated the title.
- I528: iOS (Swift) - Data encryption with PBKDF2 [Updated]
  - INFO: Updated the title.
T296: Test that unencrypted confidential data is not stored without access control mechanisms
- I431: iOS - Test that entries are securely stored in iOS Keychain [Updated]
  - INFO: Updated the title.
T305: Verify that your application dynamically loads code only from secure locations
- TA275: Android - Verifying dynamic class loading [Updated]
  - INFO: Updated the title and text.
T316: Prevent unauthorized access to information through keyboard caches and shared dictionaries
- I424: Android - Keyboard Suggestions [Updated]
  - INFO: Updated the title.
- I425: iOS (Objective-C) - Disabling iOS Auto-correction and keyboard extensions [Updated]
  - INFO: Updated the title.
- I523: iOS (Swift) - Disabling Auto-correction and keyboard extensions [Updated]
  - INFO: Updated the title.
T317: Verify that keyboard caches and shared dictionaries do not divulge confidential information
- I513: iOS (Objective-C) - Disabling auto-correction and keyboard extensions [Updated]
  - INFO: Updated the title and text.
- I533: iOS (Swift) - Disabling auto-correction and keyboard extensions [Updated]
  - INFO: Updated the title.
T324: Follow best security practices when using WKWebView (iOS)
- I480: iOS (Objective-C) - WKWebView [Updated]
  - INFO: Updated the title.
- I524: iOS (Swift) - WKWebView [Updated]
  - INFO: Updated the title.
T364: Enable secure backup and restore capabilities
- TA282: Android - Auto-backup of application data [Updated]
  - INFO: Updated the title.
T365: Verify the security of backing up and restoring procedures
- TA283: Android - Verifying auto-backup of application data [Updated]
  - INFO: Updated the title.
T408: Set secure flag on Android Activities with sensitive content
- I495: Android - Setting FLAG_SECURE for Android Activity [Updated]
  - INFO: Updated the title.
- I1396: Android (Kotlin) - Setting FLAG_SECURE for Android Activity [Updated]
  - INFO: Updated the title.
T410: Manage use of Android third-party keyboards with sensitive data
- I496: Android - Third-party keyboards [Updated]
  - INFO: Updated the title.
T423: Disable copying on Android text fields with sensitive data
- I500: Android - Disabling copying capability of Android text fields [Updated]
  - INFO: Updated the title.
- I1806: Android - Mask sensitive information in the Android clipboard [Updated]
  - INFO: Updated the title.
T433: Design a fallback mechanism or a degraded mode for the system
- I3041: Offload Memory-Intensive Tasks to Web Workers [Added]
T446: Verify that only standard libraries are used for cryptography
- TA279: Android - Checking the cryptography libraries that are used with native code [Updated]
  - INFO: Updated the title.
T515: Limit resource consumption of outgoing HTTP requests sent to external user-defined webhooks [Updated]
- INFO: Updated the text.
- I2315: How-to handle requests sent to external webhooks set by users [Added]
T578: Execute only compiled programs in mainframe
- I538: Notes on executing compiled modules in mainframe [Updated]
  - INFO: Updated the text.
T608: Obfuscate your executables
- I563: Android - Obfuscation in Android [Updated]
  - INFO: Updated the title and text.
T609: Protect your application against debuggers
- I2148: iOS - Jailbreak Detection [Added]
- I586: Android - Debugger Detection [Updated]
  - INFO: Updated the title and text.
- I587: iOS - Debugger Detection [Updated]
  - INFO: Updated the title and text.
T612: Detect rooted devices and assess the runtime environment with the aid of SafetyNet Attestation API
- TA791: Android - Root or Custom Build Detection [Updated]
  - INFO: Updated the title and text.
T615: Check your mobile application's integrity and installation source
- I568: Android - Integrity and installation source [Updated]
  - INFO: Updated the title.
T751: Provide users with a notification of personal information processing
- TA944: iOS - Privacy Notice [Updated]
  - INFO: Updated the title.
T754: Enable the restriction of processing personal information of an individual for a specific purpose
- TA7112: Nebraska DPA [Section 14] [Added]
T897: Test if the unmanaged code is used securely
- TA825: Android - Test if illegal syscalls exist in an Android O application [Updated]
  - INFO: Updated the title.
T1041: Enable multi-factor authentication (Microsoft Azure) [Updated]
- INFO: Updated the text.
- I2324: Ensure only MFA enabled identities can access privileged Virtual Machine [Added]
- I2349: Ensure that 'multifactor authentication' is 'enabled' for all users [Added]
- I2350: Ensure that 'Allow users to remember multifactor authentication on devices they trust' is disabled [Added]
- I2354: Ensure that a multifactor authentication policy exists for all users [Added]
- I2355: Ensure that multifactor authentication is required for risky sign-ins [Added]
- I2356: Ensure that multifactor authentication is required for Windows Azure Service Management API [Added]
- I2357: Ensure that multifactor authentication is required to access Microsoft Admin Portals [Added]
- P1014: Disabled multi-factor authentication (Azure Active Directory) [Updated]
  - INFO: Updated the title and match conditions.
T1042: Test that multi-factor authentication is enabled (Microsoft Azure) [Updated]
- INFO: Updated the text.
- I2457: Verify that only MFA enabled identities can access privileged Virtual Machine [Added]
- I2482: Verify that multifactor authentication is enabled for all users [Added]
- I2483: Verify that multifactor authentication is not remembered on trusted devices [Added]
- I2487: Verify that a multifactor authentication policy exists for all users [Added]
- I2488: Verify that multifactor authentication is required for risky sign-ins [Added]
- I2489: Verify that multifactor authentication is required for Windows Azure Service Management API [Added]
- I2490: Verify that multifactor authentication is required to access Microsoft Admin Portals [Added]
- P1014: Disabled multi-factor authentication (Azure Active Directory) [Updated]
  - INFO: Updated the title and match conditions.
T1053: Enable VM protection features (Microsoft Azure)
- I2394: Ensure that Microsoft Defender for Cloud is configured to check VM operating systems for updates [Added]
- I2395: Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' [Added]
- I2396: Ensure That 'All users with the following roles' is set to 'Owner' [Added]
- I2397: Ensure 'Additional email addresses' is Configured with a Security Contact Email [Added]
- I2398: Ensure that 'Notify about alerts with the following severity (or higher)' is enabled [Added]
- I2399: Ensure that 'Notify about attack paths with the following risk level (or higher)' is enabled [Added]
- TA7136: Implement the latest OS patches for all virtual machines (Azure Policy) [Added]
T1054: Test that VM protection features are enabled (Microsoft Azure)
- I2527: Verify that Microsoft Defender for Cloud checks VM operating systems for updates [Added]
- I2528: Verify that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' [Added]
- I2529: Verify that 'All users with the following roles' is set to 'Owner' [Added]
- I2530: Verify that 'Additional email addresses' is Configured with a Security Contact Email [Added]
- I2531: Verify that 'Notify about alerts with the following severity (or higher)' is enabled [Added]
- I2532: Verify that 'Notify about attack paths with the following risk level (or higher)' is enabled [Added]
- TA7133: Verify that the latest OS patches for all virtual machines are applied (Microsoft Defender for Cloud) [Added]
T1077: Log critical events (Microsoft Azure)
- I2362: Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it [Added]
- I2364: Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs [Added]
- I2365: Ensure Diagnostic Setting captures appropriate categories [Added]
- I2367: Ensure that logging for Azure Key Vault is 'Enabled' [Added]
- I2374: Ensure that Activity Log Alert exists for Create Policy Assignment [Added]
- I2375: Ensure that Activity Log Alert exists for Delete Policy Assignment [Added]
- I2376: Ensure that Activity Log Alert exists for Create or Update Network Security Group [Added]
- I2377: Ensure that Activity Log Alert exists for Delete Network Security Group [Added]
- I2378: Ensure that Activity Log Alert exists for Create or Update Security Solution [Added]
- I2379: Ensure that Activity Log Alert exists for Delete Security Solution [Added]
- I2380: Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule [Added]
- I2381: Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule [Added]
- I2382: Ensure that Activity Log Alert exists for Create or Update Public IP Address rule [Added]
- I2383: Ensure that Activity Log Alert exists for Delete Public IP Address rule [Added]
- I2384: Ensure that an Activity Log Alert exists for Service Health [Added]
- TA7135: Enable diagnostic settings for Azure resources (Microsoft Azure) [Added]
- TA964: Azure Functions: Auditing and Logging [Updated]
  - INFO: Updated the title.
T1078: Verify that critical events are logged (Microsoft Azure)
- I2495: Verify that Azure Monitor Resource Logging is Enabled for All Services that Support it [Added]
- I2497: Verify that a 'Diagnostic Setting' exists for Subscription Activity Logs [Added]
- I2498: Verify that Diagnostic Setting captures appropriate categories [Added]
- I2500: Verify that logging for Azure Key Vault is 'Enabled' [Added]
- I2507: Verify that Activity Log Alert exists for Create Policy Assignment [Added]
- I2508: Verify that Activity Log Alert exists for Delete Policy Assignment [Added]
- I2509: Verify that Activity Log Alert exists for Create or Update Network Security Group [Added]
- I2510: Verify that Activity Log Alert exists for Delete Network Security Group [Added]
- I2511: Verify that Activity Log Alert exists for Create or Update Security Solution [Added]
- I2512: Verify that Activity Log Alert exists for Delete Security Solution [Added]
- I2513: Verify that Activity Log Alert exists for Create or Update SQL Server Firewall Rule [Added]
- I2514: Verify that Activity Log Alert exists for Delete SQL Server Firewall Rule [Added]
- I2515: Verify that Activity Log Alert exists for Create or Update Public IP Address rule [Added]
- I2516: Verify that Activity Log Alert exists for Delete Public IP Address rule [Added]
- I2517: Verify that an Activity Log Alert exists for Service Health [Added]
- TA7132: Verify that diagnostic settings are enabled for Azure resources (Microsoft Azure) [Added]
T1081: Configure Key Vault securely (Microsoft Azure)
- I2417: Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults [Added]
- I2418: Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. [Added]
- I2419: Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults [Added]
- I2420: Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults [Added]
- I2421: Ensure the Key Vault is Recoverable [Added]
- TA7137: Implement expiration dates for keys and secrets in Azure Key Vault (Microsoft Azure Key Vault) [Added]
T1082: Verify that Key Vault is configured securely (Microsoft Azure)
- I2550: Verify that the Expiration Date is set for all Keys in RBAC Key Vaults [Added]
- I2551: Verify that the Expiration Date is set for all Keys in Non-RBAC Key Vaults [Added]
- I2552: Verify that the Expiration Date is set for all Secrets in RBAC Key Vaults [Added]
- I2553: Verify that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults [Added]
- I2554: Verify that the Key Vault is Recoverable [Added]
- TA7134: Verify that all Keys and Secrets in Azure Key Vaults have an expiration date set (Microsoft Azure Key Vault) [Added]
T1246: Disable profiling features in applications (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3564: Ensure that the --profiling argument is set to false [Added]
- I3570: Ensure that the --profiling argument is set to false [Added]
T1247: Test that profiling is disabled if not needed (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3670: Verify that the --profiling argument is set to false [Added]
- I3676: Verify that the --profiling argument is set to false [Added]
T1252: Implement audit logging in Kubernetes (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
T1253: Verify the audit policy for Kubernetes security concerns (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3582: Ensure that a minimal audit policy is created [Added]
- I3583: Ensure that the audit policy covers key security concerns [Added]
- I3688: Verify that a minimal audit policy is created [Added]
- I3689: Verify that the audit policy covers key security concerns [Added]
T1254: Secure Kubelet Configuration for Kubernetes (Kubernetes Worker Node) [Updated]
- INFO: Updated the title and text.
T1255: Verify Kubelet security configurations (Kubernetes Worker Node) [Updated]
- INFO: Updated the title and text.
T1258: Implement individual service account credentials for each controller (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3565: Ensure that the --use-service-account-credentials argument is set to true [Added]
- I3566: Ensure that the --service-account-private-key-file argument is set as appropriate [Added]
- I3588: Ensure that default service accounts are not actively used. [Added]
- I3589: Ensure that Service Account Tokens are only mounted where necessary [Added]
- I3596: Minimize access to the service account token creation [Added]
T1259: Verify that service account is securely configured (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3671: Verify that the --use-service-account-credentials argument is set to true [Added]
- I3672: Verify that the --service-account-private-key-file argument is set as appropriate [Added]
- I3694: Verify that default service accounts are not actively used [Added]
- I3695: Verify that Service Account Tokens are only mounted where necessary [Added]
- I3702: Verify that access to the service account token creation is minimized [Added]
T1260: Implement TLS encryption for the etcd service (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3572: Ensure that the --cert-file and --key-file arguments are set as appropriate [Added]
- I3573: Ensure that the --client-cert-auth argument is set to true [Added]
- I3574: Ensure that the --auto-tls argument is not set to true [Added]
- I3575: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate [Added]
- I3576: Ensure that the --peer-client-cert-auth argument is set to true [Added]
- I3577: Ensure that the --peer-auto-tls argument is not set to true [Added]
- I3578: Ensure that a unique Certificate Authority is used for etcd [Added]
T1261: Verify the security configurations for etcd service (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3678: Verify that the --cert-file and --key-file arguments are set as appropriate [Added]
- I3679: Verify that the --client-cert-auth argument is set to true [Added]
- I3680: Verify that the --auto-tls argument is not set to true [Added]
- I3681: Verify that the --peer-cert-file and --peer-key-file arguments are set as appropriate [Added]
- I3682: Verify that the --peer-client-cert-auth argument is set to true [Added]
- I3683: Verify that the --peer-auto-tls argument is not set to true [Added]
- I3684: Verify that a unique Certificate Authority is used for etcd [Added]
T1262: Implement garbage collection on pod termination (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3563: Ensure that the --terminated-pod-gc-threshold argument is set as appropriate [Added]
T1263: Test the garbage collector activation on pod termination (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3669: Verify that the --terminated-pod-gc-threshold argument is set as appropriate [Added]
T1266: Implement Role Based Access Control for Kubernetes (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3534: Ensure that the --anonymous-auth argument is set to false [Added]
- I3535: Ensure that the --token-auth-file parameter is not set [Added]
- I3536: Ensure that the DenyServiceExternalIPs is set [Added]
- I3537: Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate [Added]
- I3538: Ensure that the --kubelet-certificate-authority argument is set as appropriate [Added]
- I3539: Ensure that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I3540: Ensure that the --authorization-mode argument includes Node [Added]
- I3541: Ensure that the --authorization-mode argument includes RBAC [Added]
- I3542: Ensure that the admission control plugin EventRateLimit is set [Added]
- I3543: Ensure that the admission control plugin AlwaysAdmit is not set [Added]
- I3544: Ensure that the admission control plugin AlwaysPullImages is set [Added]
- I3545: Ensure that the admission control plugin ServiceAccount is set [Added]
- I3546: Ensure that the admission control plugin NamespaceLifecycle is set [Added]
- I3547: Ensure that the admission control plugin NodeRestriction is set [Added]
- I3548: Ensure that the --profiling argument is set to false [Added]
- I3549: Ensure that the --audit-log-path argument is set [Added]
- I3550: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate [Added]
- I3551: Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate [Added]
- I3552: Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate [Added]
- I3553: Ensure that the --request-timeout argument is set as appropriate [Added]
- I3554: Ensure that the --service-account-lookup argument is set to true [Added]
- I3555: Ensure that the --service-account-key-file argument is set as appropriate [Added]
- I3556: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate [Added]
- I3557: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate [Added]
- I3558: Ensure that the --client-ca-file argument is set as appropriate [Added]
- I3559: Ensure that the --etcd-cafile argument is set as appropriate [Added]
- I3560: Ensure that the --encryption-provider-config argument is set as appropriate [Added]
- I3561: Ensure that encryption providers are appropriately configured [Added]
- I3562: Ensure that the API Server only makes use of Strong Cryptographic Ciphers [Added]
T1267: Verify that the API server is configured to only use strong cryptographic ciphers (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3640: Verify that the --anonymous-auth argument is set to false [Added]
- I3641: Verify that the --token-auth-file parameter is not set [Added]
- I3642: Verify that DenyServiceExternalIPs is set [Added]
- I3643: Verify that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate [Added]
- I3644: Verify that the --kubelet-certificate-authority argument is set as appropriate [Added]
- I3645: Verify that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I3646: Verify that the --authorization-mode argument includes Node [Added]
- I3647: Verify that the --authorization-mode argument includes RBAC [Added]
- I3648: Verify that the admission control plugin EventRateLimit is set [Added]
- I3649: Verify that the admission control plugin AlwaysAdmit is not set [Added]
- I3650: Verify that the admission control plugin AlwaysPullImages is set [Added]
- I3651: Verify that the admission control plugin ServiceAccount is set [Added]
- I3652: Verify that the admission control plugin NamespaceLifecycle is set [Added]
- I3653: Verify that the admission control plugin NodeRestriction is set [Added]
- I3654: Verify that the --profiling argument is set to false [Added]
- I3655: Verify that the --audit-log-path argument is set [Added]
- I3656: Verify that the --audit-log-maxage argument is set to 30 or as appropriate [Added]
- I3657: Verify that the --audit-log-maxbackup argument is set to 10 or as appropriate [Added]
- I3658: Verify that the --audit-log-maxsize argument is set to 100 or as appropriate [Added]
- I3659: Verify that the --request-timeout argument is set as appropriate [Added]
- I3660: Verify that the --service-account-lookup argument is set to true [Added]
- I3661: Verify that the --service-account-key-file argument is set as appropriate [Added]
- I3662: Verify that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate [Added]
- I3663: Verify that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate [Added]
- I3664: Verify that the --client-ca-file argument is set as appropriate [Added]
- I3665: Verify that the --etcd-cafile argument is set as appropriate [Added]
- I3666: Verify that the --encryption-provider-config argument is set as appropriate [Added]
- I3667: Verify that encryption providers are appropriately configured [Added]
- I3668: Verify that the API Server only makes use of Strong Cryptographic Ciphers [Added]
T1290: Implement a security context for your pods and containers (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3617: Apply Security Context to Your Pods and Containers [Added]
T1291: Test that security context is applied to your pods and containers (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3723: Test that security context is applied to your pods and containers [Added]
T1292: Implement image provenance for secure deployments (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3614: Configure Image Provenance using ImagePolicyWebhook admission controller [Added]
T1293: Verify the image provenance configuration for your deployment (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3720: Test Configure Image Provenance using ImagePolicyWebhook admission controller [Added]
T2059: Enable App Service authentication and identity management (Azure App Service) [Updated]
- INFO: Updated the title.
- P1505: Improper App Service authentication and identity management (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2064: Verify that App Service authentication and identity management is enabled (Azure App Service) [Updated]
- INFO: Updated the title.
- P1505: Improper App Service authentication and identity management (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2065: Configure TLS for secure connections to App Service (Azure App Service) [Updated]
- INFO: Updated the title.
- P1511: Insecure network communication (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2066: Verify that TLS is configured properly for App Service (Azure App Service) [Updated]
- INFO: Updated the title.
- P1511: Insecure network communication (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2067: Use the latest version of software on App Service (Azure App Service) [Updated]
- INFO: Updated the title.
- P1512: Using outdated software in App Service (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2068: Verify that the latest version of software is used on App Service (Azure App Service) [Updated]
- INFO: Updated the title.
- P1512: Using outdated software in App Service (Azure App Service) [Updated]
  - INFO: Updated the title and match conditions.
T2091: Restrict access to Controller Manager service (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3569: Ensure that the --bind-address argument is set to 127.0.0.1 [Added]
T2092: Verify that the Controller Manager service is not bound to non-loopback insecure addresses (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3675: Verify that the --bind-address argument is set to 127.0.0.1 [Added]
T2093: Implement kubelet server certificate rotation for Kubernetes (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3568: Ensure that the RotateKubeletServerCertificate argument is set to true [Added]
T2094: Verify kubelet server certificate rotation on controller-manager (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3674: Verify that the RotateKubeletServerCertificate argument is set to true [Added]
T2095: Secure Kubernetes configuration files with proper permissions and ownership (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3513: Ensure that the API server pod specification file permissions are set to 600 or more restrictive [Added]
- I3514: Ensure that the API server pod specification file ownership is set to root:root [Added]
- I3515: Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive [Added]
- I3516: Ensure that the controller manager pod specification file ownership is set to root:root [Added]
- I3517: Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive [Added]
- I3518: Ensure that the scheduler pod specification file ownership is set to root:root [Added]
- I3519: Ensure that the etcd pod specification file permissions are set to 600 or more restrictive [Added]
- I3520: Ensure that the etcd pod specification file ownership is set to root:root [Added]
- I3521: Ensure that the Container Network Interface file permissions are set to 600 or more restrictive [Added]
- I3522: Ensure that the Container Network Interface file ownership is set to root:root [Added]
- I3523: Ensure that the etcd data directory permissions are set to 700 or more restrictive [Added]
- I3524: Ensure that the etcd data directory ownership is set to etcd:etcd [Added]
- I3525: Ensure that the default administrative credential file permissions are set to 600 [Added]
- I3526: Ensure that the default administrative credential file ownership is set to root:root [Added]
- I3527: Ensure that the scheduler.conf file permissions are set to 600 or more restrictive [Added]
- I3528: Ensure that the scheduler.conf file ownership is set to root:root [Added]
- I3529: Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive [Added]
- I3530: Ensure that the controller-manager.conf file ownership is set to root:root [Added]
- I3531: Ensure that the Kubernetes PKI directory and file ownership is set to root:root [Added]
- I3532: Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive [Added]
- I3533: Ensure that the Kubernetes PKI key file permissions are set to 600 [Added]
- I3567: Ensure that the --root-ca-file argument is set as appropriate [Added]
T2096: Verify that the permissions on the sensitive configuration files are set properly (Kubernetes Master Node) [Updated]
- INFO: Updated the title and text.
- I3619: Verify that the API server pod specification file permissions are set to 600 or more restrictive [Added]
- I3620: Verify that the API server pod specification file ownership is set to root:root [Added]
- I3621: Verify that the controller manager pod specification file permissions are set to 600 or more restrictive [Added]
- I3622: Verify that the controller manager pod specification file ownership is set to root:root [Added]
- I3623: Verify that the scheduler pod specification file permissions are set to 600 or more restrictive [Added]
- I3624: Verify that the scheduler pod specification file ownership is set to root:root [Added]
- I3625: Verify that the etcd pod specification file permissions are set to 600 or more restrictive [Added]
- I3626: Verify that the etcd pod specification file ownership is set to root:root [Added]
- I3627: Verify that the Container Network Interface file permissions are set to 600 or more restrictive [Added]
- I3628: Verify that the Container Network Interface file ownership is set to root:root [Added]
- I3629: Verify that the etcd data directory permissions are set to 700 or more restrictive [Added]
- I3630: Verify that the etcd data directory ownership is set to etcd:etcd [Added]
- I3631: Verify that the default administrative credential file permissions are set to 600 [Added]
- I3632: Verify that the default administrative credential file ownership is set to root:root [Added]
- I3633: Verify that the scheduler.conf file permissions are set to 600 or more restrictive [Added]
- I3634: Verify that the scheduler.conf file ownership is set to root:root [Added]
- I3635: Verify that the controller-manager.conf file permissions are set to 600 or more restrictive [Added]
- I3636: Verify that the controller-manager.conf file ownership is set to root:root [Added]
- I3637: Verify that the Kubernetes PKI directory and file ownership is set to root:root [Added]
- I3638: Verify that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive [Added]
- I3639: Verify that the Kubernetes PKI key file permissions are set to 600 [Added]
- I3673: Verify that the --root-ca-file argument is set as appropriate [Added]
T2122: Update Android Security Provider
- I1399: Android - Update Android Security Provider in the application [Updated]
  - INFO: Updated the title.
T2133: Protect the security of data in iOS [Updated]
- INFO: Updated the text.
- TA7130: iOS - Best Practices for Keychain Usage [Added]
- I1400: iOS (Swift) - Data encryption using CryptoKit framework [Updated]
  - INFO: Updated the title.
- I1401: iOS (Swift) - Create and validate signatures in CryptoKit framework [Updated]
  - INFO: Updated the title.
- I1403: iOS (Objective-C) - Encryption with Apple Secure Enclave [Updated]
  - INFO: Updated the title.
T2137: Ensure that sensitive data is not recorded (iOS)
- I1410: iOS (Objective-C) - Prevent information disclosure in iOS when mirroring/recording [Updated]
  - INFO: Updated the title.
- I1411: iOS (Swift) - Prevent information disclosure when mirroring/recording [Updated]
  - INFO: Updated the title.
T2232: Use write protection for Parametric Data values (Hardware/Firmware)
- P1630: Missing write protection for parametric data values (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2233: Set proper setting of Bus Controlling Capability in Fabric end-point (Hardware/Firmware)
- P1631: Improper setting of bus controlling capability in fabric end-point (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2234: Restrict mapping of unwarranted programming overlaps of protected and unprotected ranges by Fabric-Address (Hardware/Firmware)
- P1632: Fabric-address map allows programming of unwarranted overlaps of protected and unprotected ranges (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2235: Put security checks in Fabric Bridge (Hardware/Firmware)
- P1633: Missing security checks in fabric bridge (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2236: Put security controls in On-chip Fabrics or Buses (Hardware/Firmware)
- P1634: Missing support for security features in on-chip fabrics or buses (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2237: Protect against Electromagnetic Fault Injection (EM-FI) (Hardware/Firmware)
- P1635: Improper protection against Electromagnetic Fault Injection (EM-FI) (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2238: Protect alert signals against untrusted agents (Hardware/Firmware)
- P1636: Improper protection for out of bounds signal level alerts (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2239: Tag traces to indicate owner and debugging privilege level (Hardware/Firmware)
- P1637: Improper management of sensitive trace data (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2240: Designate an immutable Root of Trust for storage (Hardware/Firmware)
- P1638: Missing immutable root of trust in hardware (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2241: Ensure security version data is protected from tampering (Hardware/Firmware)
- P1639: Security version number mutable to older versions (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2242: Implement priority-based arbitration inside the Network on Chips (Hardware/Firmware)
- P1640: Improper isolation of shared resources in network on chip (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2243: Protect against fault injection attacks (Hardware/Firmware)
- P1641: Insufficient protection against instruction skipping via fault injection (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2244: Protect against error injection errors in redundant blocks (Hardware/Firmware)
- P1642: Unauthorized error injection can degrade hardware redundancy (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2245: Protect against abnormal thermal range (Hardware/Firmware)
- P1643: Improper protections against hardware overheating (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2453: Verify that managed components are used (Containerization) [Updated]
- INFO: Updated the title.
T2462: Minimize the admission of high-privileged containers (Containerization)
- I1674: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.1) [Unpublished]
- I1678: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 1, Recommendation 4.2.5) [Unpublished]
- I1683: CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (Level 2, Recommendation 4.2.6) [Unpublished]
- I1831: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.1) [Unpublished]
- I1835: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 4.2.5) [Unpublished]
- I1836: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 2, Recommendation 4.2.6) [Unpublished]
T2473: Verify the presence of security constraints in all user stories and features
- P1716: Lack of Technical Documentation [Updated]
  - INFO: Updated the match conditions.
T2492: Use device-generated opaque keys to encrypt OS files and data on the device (Hardware/Firmware)
- P1722: Unsecure key generation (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2494: Encrypt the bootloader (Hardware/Firmware)
- P1723: Unencrypted bootloader (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2496: Generate and forward audit logs (Hardware/Firmware)
- P1724: Lack of device-generated audit logs (Hardware/Firmware) [Updated]
  - INFO: Updated the match conditions.
T2525: Prevent Large Language Model Denial of Service
- TA7119: Agentic AI:T4 - Prevent resource overload [Added]
T2526: Test the prevention Large Language Model Denial of Service
- TA7125: Agentic AI:T4 - Verify resource overload [Added]
T2529: Prevent sensitive information disclosure in Large Language Models
- TA7121: Agentic AI:T9 - Add behavioral profiling [Added]
T2530: Test the prevention of sensitive information disclosure in Large Language Models
- TA7127: Agentic AI:T9 - Test behavioral profiling [Added]
T2533: Mitigate excessive agency in Large Language Models
- TA7118: Agentic AI:T3 - Add permission controls [Added]
- TA7120: Agentic AI:T8 - Introduce logging and monitoring [Added]
- TA7122: Agentic AI:T13 - Ensure integrity [Added]
- TA7123: Agentic AI:T14 - Limit delegation [Added]
T2534: Test excessive agency mitigation in Large Language Models
- TA7124: Agentic AI:T3 - Test permission controls [Added]
- TA7126: Agentic AI:T8 - Test logging and monitoring [Added]
- TA7128: Agentic AI:T13 - Verify integrity [Added]
- TA7129: Agentic AI:T14 - Verify delegation [Added]
T2582: Implement security best practices for data protection (SageMaker) [Updated]
- INFO: Updated the text.
T4016: Implement robust record-keeping (logging) for high-risk AI systems [Updated]
- INFO: Updated the match conditions.
T4186: Restrict physical access to devices, and prefer eSIMs [Unpublished]
- P2190: SIM cloning attacks in LTE network [Unpublished]
T4191: Restrict physical access to devices, and prefer eSIMs [Unpublished]
- P2195: SIM cloning attacks in 5G network [Unpublished]
T5535: Verify encryption of data in transit with SSL (Azure CycleCloud) [Updated]
- INFO: Updated the title.
T5650: Establish Dedicated Management, Identity, and Connectivity Subscriptions (Azure Subscriptions) [Added]
- P3416: Improper Subscription Isolation (Azure Subscriptions) [Added]
T5651: Create additional subscriptions for region-specific governance (Azure Subscriptions) [Added]
- P3417: Lack of Region-Specific Governance (Azure Subscriptions) [Added]
T5652: Ensure resource group and resource region alignment (Azure Subscriptions) [Added]
- P3418: Resource Misalignment in Azure Resource Management (Azure Subscriptions) [Added]
T5653: Use separate subscriptions for active-active deployments (Azure Subscriptions) [Added]
- P3419: Improper Resource Management in Active-Active Deployments (Azure Subscriptions) [Added]
T5654: Use subscriptions as scale units to manage Azure resources efficiently (Azure Subscriptions) [Added]
- P3420: Potential Resource Limitations in Azure Workloads (Azure Subscriptions) [Added]
T5655: Build a Subscription Vending Process (Azure Subscriptions) [Added]
- P3421: Lack of Automated Subscription Management (Azure Subscriptions) [Added]
T5656: Prevent Transferring Azure Subscriptions to or from Microsoft Entra Tenant (Azure Subscriptions) [Added]
- P3422: Unauthorized Subscription Transfer Risk (Azure Subscriptions) [Added]
T5657: Validate Incoming Messenger Messages (Android) [Added]
- P3423: Unvalidated Incoming IPC Messages (Android) [Added]
T5658: Verify Validation of Incoming Messenger Messages (Android) [Added]
- P3423: Unvalidated Incoming IPC Messages (Android) [Added]
T5659: Verify Secure User Data Control Features (Android) [Added]
- P3424: Lack of user control over stored data (Android) [Added]
T5660: Implement secure data control options for users (Android) [Added]
- P3424: Lack of user control over stored data (Android) [Added]
T5685: Implement multi-factor authentication for IBM Cloud resources (IBM Cloud Internet Services) [Added]
- P3441: Lack of Multi-Factor Authentication (IBM Cloud VPC) [Added]
- I2185: Monitor account owner for frequent, unexpected, or unauthorized logins [Added]
- I2186: Ensure API keys unused for 180 days are detected and optionally disabled [Added]
- I2187: Ensure API keys are rotated every 90 days [Added]
- I2188: Restrict user API key creation and service ID creation [Added]
- I2189: Ensure no owner account API key exists [Added]
- I2190: Ensure compliance with IBM Cloud password requirements [Added]
- I2191: Ensure multi-factor authentication (MFA) is enabled for all users in account [Added]
- I2192: Ensure multi-factor authentication (MFA) is enabled for the account owner [Added]
- I2193: Ensure multi-factor authentication (MFA) is enabled at the account level [Added]
- I2194: Ensure contact email is valid [Added]
- I2195: Ensure contact phone number is valid [Added]
- I2196: Ensure IAM users are members of access groups and IAM policies are assigned only to access groups [Added]
- I2197: Ensure a support access group has been created [Added]
- I2198: Minimize the number of users with admin privileges in the account [Added]
- I2199: Minimize the number of Service IDs with admin privileges in the account [Added]
- I2200: Ensure IAM does not allow public access to Cloud Object Storage [Added]
- I2201: Ensure Inactive User Accounts are Suspend [Added]
- I2202: Enable audit logging for IBM Cloud Identity and Access Management [Added]
- I2203: Ensure Identity Federation is set up with a Corporate IDP [Added]
- I2249: Ensure certificates are automatically renewed before expiration [Added]
T5686: Implement access restrictions on IBM Cloud Object Storage (IBM Cloud Object Storage) [Added]
- P3442: Lack of Access Restrictions (IBM Cloud Object Storage) [Added]
- I2204: Ensure network access for Cloud Object Storage is restricted [Added]
- I2205: Ensure network access is set to be exposed only on Private end-points [Added]
- I2206: Ensure access is restricted by using IAM and S3 access control [Added]
- I2207: Disable public (anonymous) access to IBM Cloud Object Storage buckets [Added]
T5687: Enhance data security with envelope encryption (IBM Cloud Object Storage) [Added]
- P3443: Lack of Granular Data Encryption (IBM Cloud Object Storage) [Added]
- I2208: Ensure Cloud Object Storage encryption is done with customer managed keys [Added]
- I2209: Ensure Cloud Object Storage Encryption is set to On with BYOK [Added]
- I2210: Ensure Cloud Object Storage Encryption is set to On with KYOK [Added]
T5688: Implement customer-managed encryption keys in IBM Cloud Block Storage (IBM Cloud Block Storage) [Added]
- P3444: Inadequate Control Over Encryption Keys (IBM Cloud Block Storage) [Added]
- I2211: Ensure 'OS disk' are encrypted with Customer managed keys [Added]
- I2212: Ensure 'Data disks' are encrypted with customer managed keys [Added]
- I2213: Ensure 'Unattached disks' are encrypted with customer managed keys [Added]
T5689: Implement Bring Your Own Key (BYOK) for Enhanced Data Security (IBM Key Management Services) [Added]
- P3445: Lack of Customer-Controlled Encryption Keys (IBM Key Management Services) [Added]
- I2214: Ensure Block Storage is encrypted with customer managed keys [Added]
- I2215: Ensure Block Storage is encrypted with BYOK [Added]
- I2216: Ensure Block Storage is encrypted with KYOK [Added]
T5690: Enable alerts for vulnerabilities in container images (IBM Cloud Container Registry) [Added]
- P3446: Lack of Vulnerability Alerts in Container Images (IBM Cloud Container Registry) [Added]
- I2217: Ensure auditing is configured in the IBM Cloud account [Added]
- I2218: Ensure that archiving is enabled for audit events [Added]
- I2219: Ensure that events are collected and processed [Added]
- I2220: Ensure alerts are defined on custom views [Added]
- I2221: Ensure login only from a list of authorized countries/IP ranges [Added]
- I2222: Ensure Activity Tracker data is encrypted at rest [Added]
- I2223: Ensure Activity Tracker trails are integrated with LogDNA Logs [Added]
- I2248: Ensure alerts are enabled for vulnerabilities [Added]
T5691: Implement encryption at rest using IBM Cloud Database service (IBM Cloud Database) [Added]
- P3447: Lack of Encryption at Rest (IBM Cloud Database) [Added]
- I2224: Ensure disk encryption is enabled with customer managed keys [Added]
- I2225: Ensure network access is set to be exposed on “Private end points only” [Added]
- I2226: Ensure IBM Cloud Databases disk encryption is set to On [Added]
T5692: Implement encryption for client data at-rest using IBM Key Protect (IBM Cloudant) [Added]
- P3448: Lack of Encryption for Client Data at Rest (IBM Cloudant) [Added]
- I2227: Ensure Cloudant encryption is set to On [Added]
- I2228: Ensure IBM Cloudant encryption is enabled with customer managed keys [Added]
- I2229: Ensure IBM Cloudant is only accessible via HTTPS or TLS Connections [Added]
T5693: Enhance web application security with minimum TLS version and WAF (IBM Cloud Internet Services) [Added]
- P3449: Insecure Data Transmission and Insufficient Web Application Protection (IBM Cloud Internet Services) [Added]
- I2230: Enable TLS 1.2 at minimum for all inbound traffic [Added]
- I2231: Ensure Web application firewall is set to ON [Added]
- I2232: Ensure DDoS protection is Active on IBM Cloud Internet Services [Added]
T5694: Implement strict ingress access controls in VPC security groups (IBM Cloud VPC) [Added]
- P3450: Unrestricted Ingress Access in VPC Security Groups (IBM Cloud VPC) [Added]
- I2233: Ensure no VPC access control lists allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2234: Ensure the default security group of every VPC restricts all traffic [Added]
- I2235: Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2236: Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2237: Ensure no VPC access control lists allow ingress from 0.0.0.0/0 to port 3389 [Added]
T5695: Secure client requests on IBM Cloud Kubernetes Service (IBM Cloud Kubernetes Service) [Added]
- P3451: Insecure Client Requests (IBM Cloud Kubernetes Service) [Added]
- I2238: Ensure TLS 1.2 for all inbound traffic at IBM Cloud Kubernetes Service Ingress [Added]
- I2239: Ensure IBM Cloud Kubernetes Service worker nodes are updated [Added]
- I2240: Ensure that clusters are accessible only by using private endpoints [Added]
- I2241: Ensure IBM Cloud Kubernetes Service cluster has image pull secrets enabled [Added]
- I2242: Ensure Kubernetes Service clusters have the monitoring service enabled [Added]
- I2243: Ensure IBM Cloud Kubernetes Service clusters have the logging service enabled [Added]
- I2244: Ensure Kubernetes secrets data is encrypted with bring your own key (BYOK) [Added]
- I2245: Ensure Kubernetes secrets data is encrypted with keep your own key (KYOK) [Added]
- I2246: Block deployments of vulnerable images to Kubernetes clusters [Added]
T5696: Implement a regular key rotation policy using Key Protect (IBM Key Protect) [Added]
- P3452: Lack of Regular Key Rotation Policy (IBM Key Protect) [Added]
- I2247: Ensure IBM Key Protect has automated rotation for customer managed keys enabled [Added]
T5697: Verify the security of API key management practices (IBM Cloud Internet Services) [Added]
- P3441: Lack of Multi-Factor Authentication (IBM Cloud VPC) [Added]
- I2250: Verify account owner for frequent, unexpected, or unauthorized logins [Added]
- I2251: Verify that API keys unused for 180 days are detected and optionally disabled [Added]
- I2252: Verify that API keys are rotated every 90 days [Added]
- I2253: Verify that user API key creation are restricted via IAM roles [Added]
- I2254: Verify that no owner account API key exists [Added]
- I2255: Verify compliance with IBM Cloud password requirements [Added]
- I2256: Verify that multi-factor authentication (MFA) is enabled [Added]
- I2257: Verify that multi-factor authentication (MFA) is enabled for the account owner [Added]
- I2258: Verify that multi-factor authentication (MFA) is enabled at the account level [Added]
- I2259: Verify that the contact email is valid [Added]
- I2260: Verify that the contact phone number is valid [Added]
- I2261: Verify that IAM users are members of access groups [Added]
- I2262: Verify that a support access group has been created [Added]
- I2263: Test minimizing the number of users with admin privileges in the account [Added]
- I2264: Test minimizing the number of Service IDs with admin privileges in the account [Added]
- I2265: Verify that IAM does not allow public access to Cloud Object Storage [Added]
- I2266: Verify that inactive user accounts are suspended [Added]
- I2267: Verify that audit logging is enabled [Added]
- I2268: Verify that Identity Federation is set up with a Corporate IDP [Added]
- I2314: Verify that Certificate Manager automatically renews certificates [Added]
T5698: Verify that the IBM Cloud Object Storage bucket firewall restricts access (IBM Cloud Object Storage) [Added]
- P3442: Lack of Access Restrictions (IBM Cloud Object Storage) [Added]
- I2269: Verify that network access is restricted to specific IP range [Added]
- I2270: Verify that network access is set to be exposed only on Private end-points [Added]
- I2271: Verify that access is restricted by using IAM and S3 access control [Added]
- I2272: Verify that public access to IBM Cloud Object Storage buckets is disabled [Added]
T5699: Verify that the encryption keys are managed securely (IBM Cloud Object Storage) [Added]
- P3443: Lack of Granular Data Encryption (IBM Cloud Object Storage) [Added]
- I2273: Verify Cloud Object Storage encryption with customer managed keys [Added]
- I2274: Verify that Cloud Object Storage Encryption is set to On with BYOK [Added]
- I2275: Verify that Cloud Object Storage Encryption is set to On with KYOK [Added]
T5700: Verify that encryption is managed through IBM Key Management Services (IBM Cloud Block Storage) [Added]
- P3444: Inadequate Control Over Encryption Keys (IBM Cloud Block Storage) [Added]
- I2276: Verify that 'OS disk' are encrypted with Customer managed keys [Added]
- I2277: Verify that 'Data disks' are encrypted with customer managed keys [Added]
- I2278: Verify that unattached disks are encrypted with customer managed keys [Added]
T5703: Verify that the database service is provisioned with encryption at rest (IBM Cloud Database) [Added]
- P3447: Lack of Encryption at Rest (IBM Cloud Database) [Added]
- I2289: Verify disk encryption is enabled with customer managed keys [Added]
- I2290: Verify network access to IBM Cloud Databases service [Added]
- I2291: Verify IBM Cloud Databases disk encryption is set to On [Added]
T5704: Verify that the Cloudant instance is provisioned with BYOK (IBM Cloudant) [Added]
- P3448: Lack of Encryption for Client Data at Rest (IBM Cloudant) [Added]
- I2292: Verify Cloudant encryption is set to On [Added]
- I2293: Verify that IBM Cloudant encryption is enabled with customer managed keys [Added]
- I2294: Verify that IBM Cloudant is only accessible via HTTPS or TLS Connections [Added]
T5705: Verify the minimum TLS version is set to 1.2 (IBM Cloud Internet Services) [Added]
- P3449: Insecure Data Transmission and Insufficient Web Application Protection (IBM Cloud Internet Services) [Added]
- I2295: Test that TLS 1.2 is enabled for all inbound traffic [Added]
- I2296: Verify that the Web application firewall is set to ON [Added]
- I2297: Verify that DDoS protection is Active on IBM Cloud Internet Services [Added]
T5706: Verify that VPC access control lists filter traffic appropriately (IBM Cloud VPC) [Added]
- P3450: Unrestricted Ingress Access in VPC Security Groups (IBM Cloud VPC) [Added]
- I2298: Verify that no VPC access control lists allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2299: Verify that the default security group of every VPC restricts all traffic [Added]
- I2300: Verify that no VPC security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2301: Verify that no VPC security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2302: Verify access control from 0.0.0.0/0 to port 3389 [Added]
T5707: Verify that insecure HTTP requests are redirected to HTTPS (IBM Cloud Kubernetes Service) [Added]
- P3451: Insecure Client Requests (IBM Cloud Kubernetes Service) [Added]
- I2303: Verify TLS 1.2 for all inbound traffic at IBM Cloud Kubernetes Service Ingress [Added]
- I2304: Verify that Kubernetes Service worker nodes are updated [Added]
- I2305: Verify that clusters are accessible only by using private endpoints [Added]
- I2306: Verify that IBM Cloud Kubernetes Service cluster has image pull secrets enabled [Added]
- I2307: Verify Kubernetes Service clusters have the monitoring service enabled [Added]
- I2308: Verify Kubernetes Service clusters have the logging service enabled [Added]
- I2309: Verify that Kubernetes secrets data is encrypted with bring your own key (BYOK) [Added]
- I2310: Verify that Kubernetes secrets data is encrypted with keep your own key (KYOK) [Added]
- I2311: Verify that vulnerable images are blocked from deploying to Kubernetes clusters [Added]
T5709: Organize artifacts with a dedicated artifact repository (JFrog Artifactory) [Added]
- P3453: Lack of Dedicated Artifact Repository (JFrog Artifactory) [Added]
T5710: Utilize build info for enhanced traceability (JFrog Artifactory) [Added]
- P3454: Lack of Build Information Traceability (JFrog Artifactory) [Added]
T5711: Design a universal binary repository structure (JFrog Artifactory) [Added]
- P3455: Inadequate Repository Structure Management (JFrog Artifactory) [Added]
T5712: Implement a 4-part naming convention for repositories (JFrog Artifactory) [Added]
- P3456: Inconsistent Repository Naming (JFrog Artifactory) [Added]
T5713: Create a repository structure for development lifecycle (JFrog Artifactory) [Added]
- P3457: Inadequate Repository Structure (JFrog Artifactory) [Added]
T5714: Implement security processes (JFrog Xray) [Added]
- P3458: Lack of Structured Security Processes (JFrog Xray) [Added]
T5715: Involve R&D in security and compliance (JFrog Xray) [Added]
- P3459: Lack of Integrated Security and Compliance in Software Development Lifecycle (JFrog Xray) [Added]
T5716: Define a policy for high-severity issues (JFrog Xray) [Added]
- P3460: Lack of Structured Policy for High-Severity Issues (JFrog Xray) [Added]
T5717: Implement continuous scanning (JFrog Xray) [Added]
- P3461: Lack of Continuous Vulnerability Scanning (JFrog Xray) [Added]
T5718: Standardize violation management workflow (JFrog Xray) [Added]
- P3462: Inconsistent Violation Management Workflow (JFrog Xray) [Added]
T5719: Prioritize security and compliance violations (JFrog Xray) [Added]
- P3463: Lack of Prioritization in Security and Compliance Violations (JFrog Xray) [Added]
T5720: Implement software package management (JFrog Curation) [Added]
- P3464: Insecure Dependency Management (JFrog Curation) [Added]
T5721: Implement comprehensive software supply chain protection (JFrog Advanced Security) [Added]
- P3465: Software Supply Chain Vulnerabilities (JFrog Advanced Security) [Added]
T5722: Implement continuous runtime security (JFrog Runtime) [Added]
- P3466: Lack of Continuous Runtime Security Monitoring (JFrog Runtime) [Added]
T5723: Implement pre-selection & OSS intelligence (JFrog Catalog) [Added]
- P3467: Inadequate Management of Open-Source Software Packages (JFrog Catalog) [Added]
T5724: Use appropriate access control mechanisms [ACM-2] (EN 18031-1) [Added]
- P3468: Lack of secure access control mechanism (EN 18031-1) [Added]
T5725: Use an appropriate authentication mechanism [AUM-2] (EN 18031-1) [Added]
- P3469: Lack of secure authentication mechanism (EN 18031-1) [Added]
T5726: Ensure the validation of authenticators used in authentication mechanisms [AUM-3] (EN 18031-1) [Added]
- P3470: Insufficient verification of authenticators (EN 18031-1) [Added]
T5727: Implement the capability to change authentication mechanisms [AUM-4] (EN 18031-1) [Added]
- P3471: Lack of authenticator reset mechanism (EN 18031-1) [Added]
T5728: Use strong passwords in authentication mechanisms [AUM-5] (EN 18031-1) [Added]
- P3472: Weak password requirements (EN 18031-1) [Added]
T5729: Implement brute-force protection in authentication mechanism [AUM-6] (EN 18031-1) [Added]
- P3473: Lack of brute-force protection (EN 18031-1) [Added]
T5730: Ensure the applicability and appropriateness of DoS resilience mechanisms [RLM-1] (EN 18031-1) [Added]
- P3474: Lack of Denial of Service (DoS) protection (EN 18031-1) [Added]
T5731: Ensure the applicability and appropriateness of network monitoring mechanisms [NMM-1] (EN 18031-1) [Added]
- P3475: Lack of network monitoring mechanism (EN 18031-1) [Added]
T5732: Ensure the applicability and appropriateness of network traffic control mechanisms [TCM-1] (EN 18031-1) [Added]
- P3476: Lack of traffic control mechanism (EN 18031-1) [Added]
T5733: Use best practices for cryptography [CRY-1] (EN 18031-1) [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031-1) [Added]
T5734: Ensure the applicability and appropriateness of secure update mechanisms [SUM-1] (EN 18031-1) [Added]
- P3478: Lack of secure update mechanism (EN 18031-1) [Added]
T5735: Implement a secure update mechanism [SUM-2] (EN 18031-1) [Added]
- P3478: Lack of secure update mechanism (EN 18031-1) [Added]
T5736: Implement an automated secure update mechanism [SUM-3] (EN 18031-1) [Added]
- P3478: Lack of secure update mechanism (EN 18031-1) [Added]
T5737: Ensure the applicability and appropriateness of secure storage mechanisms [SSM-1] (EN 18031-1) [Added]
- P3479: Lack of secure storage mechanism (EN 18031-1) [Added]
T5738: Implement appropriate integrity protection for secure storage mechanisms [SSM-2] (EN 18031-1) [Added]
- P3479: Lack of secure storage mechanism (EN 18031-1) [Added]
T5739: Implement appropriate confidentiality protection for secure storage mechanisms [SSM-3] (EN 18031-1) [Added]
- P3479: Lack of secure storage mechanism (EN 18031-1) [Added]
T5740: Ensure the applicability and appropriateness of secure communication mechanisms [SCM-1] (EN 18031-1) [Added]
- P3480: Lack of secure communication mechanism (EN 18031-1) [Added]
T5741: Implement appropriate integrity and authenticity protection for communication mechanisms [SCM-2] (EN 18031-1) [Added]
- P3480: Lack of secure communication mechanism (EN 18031-1) [Added]
T5742: Implement appropriate confidentiality protection for communication mechanisms [SCM-3] (EN 18031-1) [Added]
- P3480: Lack of secure communication mechanism (EN 18031-1) [Added]
T5743: Implement appropriate replay protection for communication mechanisms [SCM-4] (EN 18031-1) [Added]
- P3480: Lack of secure communication mechanism (EN 18031-1) [Added]
T5744: Implement appropriate confidential cryptographic keys [CCK-1] (EN 18031-1) [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031-1) [Added]
T5745: Implement secure confidential cryptographic keys [CCK-2] (EN 18031-1) [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031-1) [Added]
T5746: Implement features for preventing default values for preinstalled confidential cryptographic keys [CCK-3] (EN 18031-1) [Added]
- P3477: Use of weak cryptographic algorithms or unsecure cryptographic practices (EN 18031-1) [Added]
T5747: Ensure the use of updated and secure software and hardware [GEC-1] (EN 18031-1) [Added]
- P3481: Use of insecure third party software and hardware (EN 18031-1) [Added]
T5748: Control access to network interfaces and services [GEC-2] (EN 18031-1) [Added]
- P3482: Exposure of services (EN 18031-1) [Added]
T5749: Implement a feature for configuring optional services and the related exposed network interfaces [GEC-3] (EN 18031-1) [Added]
- P3483: Lack of control over configuration parameters (EN 18031-1) [Added]
T5750: Document exposed network interfaces and services [GEC-4] (EN 18031-1) [Added]
- P3484: Lack of technical documentation (EN 18031-1) [Added]
T5751: Disable unnecessary external interfaces [GEC-5] (EN 18031-1) [Added]
- P3485: Exposure of physical external interfaces (EN 18031-1) [Added]
T5752: Implement Input validation [GEC-6] (EN 18031-1) [Added]
- P3486: Poor input validation (EN 18031-1) [Added]
T5753: Verify the network security configuration for Azure Databricks (Azure Databricks) [Added]
- P3487: Lack of Network Traffic Control (Azure Databricks) [Added]
- I2449: Verify that Azure Databricks is deployed in a customer-managed virtual network (VNet) [Added]
- I2450: Verify that network security groups are configured for Databricks subnets [Added]
- I2452: Verify that users and groups are synced from Microsoft Entra ID to Azure Databricks [Added]
- I2453: Verify that Unity Catalog is configured for Azure Databricks [Added]
- I2454: Verify that usage is restricted and expiry is enforced for Databricks personal access tokens [Added]
- I2455: Verify that diagnostic log delivery is configured for Azure Databricks [Added]
T5754: Verify that data exchanged between worker nodes is encrypted (Azure Databricks) [Added]
- P3488: Lack of Encryption for Data in Transit and at Rest (Microsoft Azure Foundation) [Added]
- I2451: Verify that traffic is encrypted between cluster worker nodes [Added]
- I2456: Verify that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK) [Added]
T5756: Verify that users provide consent for permissions from verified publishers (Microsoft 365) [Added]
- P3490: Lack of Role-Based Access Control (RBAC) (Microsoft Azure Foundation) [Added]
- I2467: Verify that user consent for applications is set to allow verified publishers [Added]
- I2470: Verify that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' [Added]
- I2472: Verify that the user ability to access groups features in My Groups is restricted [Added]
- I2473: Verify that users can create security groups in Azure portals, API or PowerShell is set to No [Added]
- I2474: Verify that Owners can manage group membership requests in My Groups is set to No [Added]
- I2475: Verify that Users can create Microsoft 365 groups in Azure portals, API or PowerShell is set to No [Added]
- I2478: Test that a custom role is assigned permissions for administering resource locks [Added]
- I2479: Verify that Subscription leaving Microsoft Entra tenant is set to Permit no one [Added]
T5757: Verify the configuration of Named locations in Conditional Access (Microsoft Entra ID) [Added]
- P3491: Lack of Conditional Access Policies (Microsoft Azure Foundation) [Added]
- I2484: Verify that 'trusted locations' are defined [Added]
- I2485: Verify that an exclusionary geographic Conditional Access policy is considered [Added]
- I2486: Verify that an exclusionary device code flow policy is considered [Added]
T5758: Verify that Basic or Free SKUs are not used for production workloads (Microsoft Azure) [Added]
- P3492: Inadequate SKU Selection for Production Workloads (Microsoft Azure Foundation) [Added]
- I2496: Verify that SKU Basic/Consumption is not used on monitored artifacts [Added]
T5759: Verify that virtual network flow logs are captured and sent to Log Analytics (Microsoft Azure) [Added]
- P3493: Lack of Centralized Logging Strategy (Microsoft Azure) [Added]
- I2499: Verify that the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) [Added]
- I2501: Verify that Network Security Group Flow logs are captured and sent to Log Analytics [Added]
- I2502: Verify that logging for Azure AppService 'HTTP logs' is enabled [Added]
- I2503: Verify that virtual network flow logs are captured and sent to Log Analytics [Added]
- I2504: Verify that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination [Added]
- I2505: Verify that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination [Added]
- I2506: Verify that Intune logs are captured and sent to Log Analytics [Added]
- I2518: Verify that Application Insights are Configured [Added]
T5760: Verify the configuration of network security groups for Azure (Microsoft Azure) [Added]
- P3494: Improperly Configured Network Security Groups (Microsoft Azure Foundation) [Added]
- I2519: Verify that RDP access from the Internet is evaluated and restricted [Added]
- I2520: Verify that SSH access from the Internet is evaluated and restricted [Added]
- I2521: Verify that UDP access from the Internet is evaluated and restricted [Added]
- I2522: Verify that HTTP(S) access from the Internet is evaluated and restricted [Added]
- I2525: Verify that Public IP addresses are Evaluated on a Periodic Basis [Added]
T5761: Verify that virtual network flow logs are retained for greater than or equal to 90 days (Microsoft Azure) [Added]
- P3495: Lack of Virtual Network Flow Logs Retention (Microsoft Azure Foundation) [Added]
- I2523: Verify that Network Security Group Flow Log retention period is 'greater than 90 days' [Added]
- I2524: Verify that Network Watcher is 'Enabled' for Azure Regions that are in use [Added]
- I2526: Verify that virtual network flow log retention days is set to greater than or equal to 90 [Added]
T5762: Verify the organization's attack surface is minimized (Microsoft Defender for Cloud) [Added]
- I2533: Verify that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled [Added]
- I2534: Verify that Microsoft Defender for DNS is set to 'On' [Added]
- I2535: Verify that Defender for Servers is set to 'On' [Added]
- I2536: Verify that 'Vulnerability assessment for machines' component status is set to 'On' [Added]
- I2537: Verify that 'Endpoint protection' component status is set to 'On' [Added]
- I2538: Verify that 'Agentless scanning for machines' component status is set to 'On' [Added]
- I2539: Verify that 'File Integrity Monitoring' component status is set to 'On' [Added]
- I2540: Verify that Microsoft Defender for Containers is set to 'On' [Added]
- I2541: Verify that Microsoft Defender for Storage is set to 'On' [Added]
- I2542: Verify that Microsoft Defender for App Services is set to 'On' [Added]
- I2543: Verify that Microsoft Defender for Azure Cosmos DB Is Set To 'On' [Added]
- I2544: Verify that Microsoft Defender for Open-Source Relational Databases Is Set To 'On' [Added]
- I2545: Verify that Microsoft Defender for Azure SQL Databases Is Set To 'On' [Added]
- I2546: Verify that Microsoft Defender for SQL Servers on Machines Is Set To 'On' [Added]
- I2547: Verify that Microsoft Defender for Key Vault is set to 'On' [Added]
- I2548: Test that Microsoft Defender for Resource Manager is set to 'On' [Added]
- I2549: Verify that Microsoft Defender for IoT Hub is set to 'On' [Added]
T5763: Implement a vulnerability assessment for machines (Microsoft Defender for Cloud) [Added]
- I2400: Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled [Added]
- I2401: [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' [Added]
- I2402: Ensure that Defender for Servers is set to 'On' [Added]
- I2403: Ensure that 'Vulnerability assessment for machines' component status is set to 'On' [Added]
- I2404: Ensure that 'Endpoint protection' component status is set to 'On' [Added]
- I2405: Ensure that 'Agentless scanning for machines' component status is set to 'On' [Added]
- I2406: Ensure that 'File Integrity Monitoring' component status is set to 'On' [Added]
- I2407: Ensure That Microsoft Defender for Containers Is Set To 'On' [Added]
- I2408: Ensure That Microsoft Defender for Storage Is Set To 'On' [Added]
- I2409: Ensure That Microsoft Defender for App Services Is Set To 'On' [Added]
- I2410: Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' [Added]
- I2411: Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' [Added]
- I2412: Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' [Added]
- I2413: Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' [Added]
- I2414: Ensure That Microsoft Defender for Key Vault Is Set To 'On' [Added]
- I2415: Ensure That Microsoft Defender for Resource Manager Is Set To 'On' [Added]
- I2416: Ensure That Microsoft Defender for IoT Hub Is Set To 'On' [Added]
T5764: Verify the security of Azure Key Vault configurations (Microsoft Azure Key Vault) [Added]
- P3496: Public Network Exposure of Azure Key Vault (Microsoft Azure Foundation) [Added]
- I2555: Verify that Role Based Access Control for Azure Key Vault is enabled [Added]
- I2556: Verify that Public Network Access when using Private Endpoint is disabled [Added]
- I2557: Verify that Private Endpoints are Used for Azure Key Vault [Added]
- I2558: Verify that automatic key rotation is enabled within Azure Key Vault [Added]
- I2559: Verify that Azure Key Vault Managed HSM is used when required [Added]
- I2560: Verify that an Azure Bastion Host Exists [Added]
T5766: Verify that blob versioning is enabled for data recovery (Microsoft Azure Storage) [Added]
- P3498: Lack of Blob Versioning (Microsoft Azure Foundation) [Added]
- I2565: Verify that 'Versioning' is set to 'Enabled' on Azure Blob Storage [Added]
- I2567: Verify that 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access [Added]
- I2573: Verify that Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts [Added]
- I2574: Verify that Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts [Added]
- I2578: Verify that Private Endpoints are used to access Storage Accounts [Added]
T5767: Verify that data encryption in transit is enabled (Azure Storage) [Added]
- P3499: Lack of Data Encryption in Transit (Microsoft Azure Foundation) [Added]
- I2566: Verify that 'Secure transfer required' is set to 'Enabled' [Added]
- I2569: Verify that the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' [Added]
T5768: Implement Network Security Groups for Azure Databricks (Microsoft Azure Databricks) [Added]
- P3487: Lack of Network Traffic Control (Azure Databricks) [Added]
- I2316: Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet) [Added]
- I2317: Ensure that network security groups are configured for Databricks subnets [Added]
- I2319: Ensure that users and groups are synced from Microsoft Entra ID to Azure Databricks [Added]
- I2320: Ensure that Unity Catalog is configured for Azure Databricks [Added]
- I2321: Ensure that usage is restricted and expiry is enforced for Databricks personal access tokens [Added]
- I2322: Ensure that diagnostic log delivery is configured for Azure Databricks [Added]
T5769: Implement encryption for data in transit and at rest (Microsoft Azure Databricks) [Added]
- P3488: Lack of Encryption for Data in Transit and at Rest (Microsoft Azure Foundation) [Added]
- I2318: Ensure that traffic is encrypted between cluster worker nodes [Added]
- I2323: Ensure that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK) [Added]
T5770: Implement Resource Manager Locks to Secure Azure Resources (Microsoft Azure) [Added]
- P3489: Lack of Resource Manager Locks (Microsoft Azure Foundation) [Added]
- I2325: Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' [Added]
- I2326: Ensure that 'Number of methods required to reset' is set to '2' [Added]
- I2327: Ensure that account 'Lockout threshold' is less than or equal to '10' [Added]
- I2328: Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' [Added]
- I2329: Ensure that a 'Custom banned password list' is set to 'Enforce' [Added]
- I2330: Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' [Added]
- I2331: Ensure that 'Notify users on password resets?' is set to 'Yes' [Added]
- I2332: Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' [Added]
- I2333: Ensure that 'User consent for applications' is set to 'Do not allow user consent' [Added]
- I2335: Ensure that 'Users can register applications' is set to 'No' [Added]
- I2336: Ensure that Guest user access is restricted to properties and memberships of their own directory objects [Added]
- I2338: Ensure that 'Restrict access to Microsoft Entra admin center' is set to 'Yes' [Added]
- I2343: Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' [Added]
- I2344: Ensure that no custom subscription administrator roles exist [Added]
- I2347: Ensure fewer than 5 users have global administrator assignment [Added]
- I2348: Ensure that 'security defaults' is enabled in Microsoft Entra ID [Added]
- I2358: Ensure that Azure admin accounts are not used for daily operations [Added]
- I2359: Ensure that guest users are reviewed on a regular basis [Added]
- I2360: Ensure that use of the 'User Access Administrator' role is restricted [Added]
- I2361: Ensure that Resource Locks are set for Mission-Critical Azure Resources [Added]
T5771: Implement Role-Based Access Control (RBAC) in Microsoft 365 (Microsoft 365) [Added]
- P3490: Lack of Role-Based Access Control (RBAC) (Microsoft Azure Foundation) [Added]
- I2334: Ensure that 'User consent for applications' is set to 'Allow user consent for apps from verified publishers, for selected permissions' [Added]
- I2337: Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' [Added]
- I2339: Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes' [Added]
- I2340: Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' [Added]
- I2341: Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' [Added]
- I2342: Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' [Added]
- I2345: Ensure that a custom role is assigned permissions for administering resource locks [Added]
- I2346: Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one' [Added]
T5772: Implement Conditional Access Policies (Microsoft Azure Active Directory) [Added]
- P3491: Lack of Conditional Access Policies (Microsoft Azure Foundation) [Added]
- I2351: Ensure that 'trusted locations' are defined [Added]
- I2352: Ensure that an exclusionary geographic Conditional Access policy is considered [Added]
- I2353: Ensure that an exclusionary device code flow policy is considered [Added]
T5773: Implement a robust logging strategy for Azure services (Microsoft Azure) [Added]
- P3493: Lack of Centralized Logging Strategy (Microsoft Azure) [Added]
- I2366: Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) [Added]
- I2368: Ensure that Network Security Group Flow logs are captured and sent to Log Analytics [Added]
- I2369: Ensure that logging for Azure AppService 'HTTP logs' is enabled [Added]
- I2370: Ensure that virtual network flow logs are captured and sent to Log Analytics [Added]
- I2371: Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination [Added]
- I2372: Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination [Added]
- I2373: Ensure that Intune logs are captured and sent to Log Analytics [Added]
- I2385: Ensure Application Insights are Configured [Added]
T5774: Configure network security groups to enhance Azure security (Microsoft Azure) [Added]
- P3494: Improperly Configured Network Security Groups (Microsoft Azure Foundation) [Added]
- I2386: Ensure that RDP access from the Internet is evaluated and restricted [Added]
- I2387: Ensure that SSH access from the Internet is evaluated and restricted [Added]
- I2388: Ensure that UDP access from the Internet is evaluated and restricted [Added]
- I2389: Ensure that HTTP(S) access from the Internet is evaluated and restricted [Added]
- I2392: Ensure that Public IP addresses are Evaluated on a Periodic Basis [Added]
T5775: Enable virtual network flow logs retention (Microsoft Azure) [Added]
- P3495: Lack of Virtual Network Flow Logs Retention (Microsoft Azure Foundation) [Added]
- I2390: Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' [Added]
- I2391: Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use [Added]
- I2393: Ensure that virtual network flow log retention days is set to greater than or equal to 90 [Added]
T5776: Enhance security by minimizing public exposure of Azure Key Vault (Microsoft Azure Key Vault) [Added]
- P3496: Public Network Exposure of Azure Key Vault (Microsoft Azure Foundation) [Added]
- I2422: Ensure that Role Based Access Control for Azure Key Vault is enabled [Added]
- I2423: Ensure that Public Network Access when using Private Endpoint is disabled [Added]
- I2424: Ensure that Private Endpoints are Used for Azure Key Vault [Added]
- I2425: Ensure automatic key rotation is enabled within Azure Key Vault [Added]
- I2426: Ensure that Azure Key Vault Managed HSM is used when required [Added]
- I2427: Ensure an Azure Bastion Host Exists [Added]
T5777: Implement soft delete for Azure storage accounts (Microsoft Azure Storage) [Added]
- P3497: Lack of Soft Delete Feature (Microsoft Azure Foundation) [Added]
- I2428: Ensure soft delete for Azure File Shares is Enabled [Added]
- I2429: Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares [Added]
- I2430: Ensure 'SMB channel encryption' is set to 'AES-256-GCM' or higher for SMB file shares [Added]
- I2431: Ensure that soft delete for blobs on Azure Blob Storage storage accounts is Enabled [Added]
- I2435: Ensure Soft Delete is Enabled for Azure Containers and Blob Storage [Added]
- I2437: Ensure 'Cross Tenant Replication' is not enabled [Added]
- I2438: Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled' [Added]
- I2439: Ensure Azure Resource Manager Delete locks are applied to Azure Storage Accounts [Added]
- I2442: Ensure that 'Enable key rotation reminders' is enabled for each Storage Account [Added]
- I2443: Ensure that Storage Account access keys are periodically regenerated [Added]
- I2444: Ensure 'Allow storage account key access' for Azure Storage Accounts is 'Disabled' [Added]
- I2446: Ensure that 'Public Network Access' is 'Disabled' for storage accounts [Added]
- I2447: Ensure default network access rule for storage accounts is set to deny [Added]
- I2448: Ensure that 'Default to Microsoft Entra authorization in the Azure portal' is set to 'Enabled' [Added]
T5778: Implement blob versioning for data integrity and recovery (Microsoft Azure Storage) [Added]
- P3498: Lack of Blob Versioning (Microsoft Azure Foundation) [Added]
- I2432: Ensure 'Versioning' is set to 'Enabled' on Azure Blob Storage storage accounts [Added]
- I2434: Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access [Added]
- I2440: Ensure Azure Resource Manager ReadOnly locks are considered for Azure Storage Accounts [Added]
- I2441: Ensure Redundancy is set to 'geo-redundant storage (GRS)' on critical Azure Storage Accounts [Added]
- I2445: Ensure Private Endpoints are used to access Storage Accounts [Added]
T5779: Enable data encryption in transit for Azure Storage (Microsoft Azure Storage) [Added]
- P3499: Lack of Data Encryption in Transit (Microsoft Azure Foundation) [Added]
- I2433: Ensure that 'Secure transfer required' is set to 'Enabled' [Added]
- I2436: Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' [Added]
T5780: Evaluate Azure SKUs for Production Workloads (Microsoft Azure) [Added]
- P3492: Inadequate SKU Selection for Production Workloads (Microsoft Azure Foundation) [Added]
- I2363: Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) [Added]
T5781: Verify password policy settings for user accounts (Azure Windows Member Server) [Added]
- P3500: Weak Password Policies (Azure Windows Member Server) [Added]
- I2803: Verify that 'Enforce password history' is set to '24 or more password(s)' [Added]
- I2804: Verify that the 'Maximum password age' is set to '365 or fewer days, but not 0' [Added]
- I2805: Verify that 'Minimum password age' is set to '1 or more day(s)' [Added]
- I2806: Verify that the minimum password length is set to 14 or more characters [Added]
- I2807: Verify that 'Password must meet complexity requirements' is set to 'Enabled' [Added]
- I2808: Verify that 'Store passwords using reversible encryption' is set to 'Disabled' [Added]
T5782: Verify that sensitive privileges are restricted (Azure Windows Member Server) [Added]
- P3501: Inadequate User Rights Management (Azure Windows Member Server) [Added]
- I2809: Verify that 'Access Credential Manager as a trusted caller' is set to 'No One' [Added]
- I2810: Test that 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only) [Added]
- I2811: Verify that 'Act as part of the operating system' is set to 'No One' [Added]
- I2812: Verify that 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2813: Verify that 'Allow log on locally' is set to 'Administrators' [Added]
- I2814: Verify that 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only) [Added]
- I2815: Verify that 'Back up files and directories' is set to 'Administrators, Backup Operators' [Added]
- I2816: Verify that 'Change the system time' is set to 'Administrators, LOCAL SERVICE' [Added]
- I2817: Verify that 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' [Added]
- I2818: Verify that 'Create a pagefile' is set to 'Administrators' [Added]
- I2819: Test that 'Create a token object' is set to 'No One' [Added]
- I2820: Verify that 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I2821: Verify that 'Create permanent shared objects' is set to 'No One' [Added]
- I2822: Verify that 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only) [Added]
- I2823: Verify that 'Debug programs' is set to 'Administrators' [Added]
- I2824: Test that 'Deny access to this computer from the network' includes 'Guests' [Added]
- I2825: Verify that 'Deny log on as a batch job' includes 'Guests' [Added]
- I2826: Verify that 'Deny log on as a service' includes 'Guests' [Added]
- I2827: Verify that 'Deny log on locally' includes 'Guests' [Added]
- I2828: Verify that 'Deny log on through Remote Desktop Services' includes 'Guests' [Added]
- I2830: Verify that 'Force shutdown from a remote system' is set to 'Administrators' [Added]
- I2831: Verify that 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2832: Verify that 'Impersonate a client after authentication' is set correctly [Added]
- I2833: Verify that 'Increase scheduling priority' is set to 'Administrators' [Added]
- I2834: Verify that 'Load and unload device drivers' is set to 'Administrators' [Added]
- I2835: Verify that 'Lock pages in memory' is set to 'No One' [Added]
- I2836: Verify that 'Manage auditing and security log' is set to 'Administrators' (MS only) [Added]
- I2837: Verify that 'Modify an object label' is set to 'No One' [Added]
- I2838: Verify that 'Modify firmware environment values' is set to 'Administrators' [Added]
- I2839: Verify that 'Perform volume maintenance tasks' is set to 'Administrators' [Added]
- I2840: Verify that 'Profile single process' is set to 'Administrators' [Added]
- I2841: Verify that 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' [Added]
- I2842: Verify that 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2843: Verify that 'Restore files and directories' is set to 'Administrators, Backup Operators' [Added]
- I2844: Verify that 'Shut down the system' is set to 'Administrators, Backup Operators' [Added]
- I2845: Verify that 'Take ownership of files or other objects' is set to 'Administrators' [Added]
- I2853: Verify that 'Devices: Allowed to format and eject removable media' is set to 'Administrators' [Added]
- I2854: Verify that 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' [Added]
- I2892: Verify that the system shutdown setting is disabled [Added]
- I2946: Verify that WDigest Authentication is set to Disabled [Added]
- I2952: Verify that 'Enable insecure guest logons' is set to 'Disabled' [Added]
- I2969: Verify that 'Do not display network selection UI' is set to 'Enabled' [Added]
- I2975: Verify that 'Turn off Microsoft consumer experiences' is set to 'Enabled' [Added]
- I2978: Verify that 'Allow Diagnostic Data' is set to 'Enabled: Send required diagnostic data' [Added]
- I2996: Verify that 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' [Added]
- I3010: Verify that 'Allow indexing of encrypted files' is set to 'Disabled' [Added]
- I3012: Verify that 'Allow user control over installs' is set to 'Disabled' [Added]
- I3013: Verify that 'Always install with elevated privileges' is set to 'Disabled' [Added]
- I3014: Verify that 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' [Added]
- I3017: Verify that 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3018: Verify that 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3019: Verify that 'Disallow Digest authentication' is set to 'Enabled' [Added]
- I3020: Verify that 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3021: Verify that 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3023: Verify that 'Prevent users from modifying settings' is set to 'Enabled' [Added]
T5783: Verify the security settings for user accounts and permissions (Azure Windows Member Server) [Added]
- P3502: Unauthorized Access and Impersonation Risks (Azure Windows Member Server) [Added]
- I2829: Verify that 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only) [Added]
- I2846: Verify that 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' [Added]
- I2847: Verify that the 'Accounts: Guest account status' is set to 'Disabled' (MS only) [Added]
- I2848: Verify that local account use of blank passwords is limited to console logon only [Added]
- I2849: Test the configuration of the administrator account renaming [Added]
- I2850: Test the configuration of the guest account renaming [Added]
- I2893: Verify that User Account Control is set to Enabled [Added]
- I2894: Verify that User Account Control settings are configured correctly [Added]
- I2895: Verify that User Account Control settings are configured correctly [Added]
- I2896: Verify that 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' [Added]
- I2897: Verify that User Account Control settings are properly configured [Added]
- I2898: Verify that 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' [Added]
- I2899: Verify that User Account Control is set to Enabled [Added]
- I2900: Verify that User Account Control virtualization settings are enabled [Added]
- I2968: Test that 'Block user from showing account details on sign-in' is set to 'Enabled' [Added]
- I2973: Verify that 'Allow Microsoft accounts to be optional' is set to 'Enabled' [Added]
- I2974: Verify that 'Turn off cloud consumer account state content' is set to 'Enabled' [Added]
- I2990: Verify that 'Block all consumer Microsoft account user authentication' is set to 'Enabled' [Added]
T5784: Verify the audit policy settings for security events (Azure Windows Member Server) [Added]
- P3503: Lack of Detailed Auditing for Security Events (Azure Windows Member Server) [Added]
- I2851: Verify that the audit policy subcategory settings are enabled [Added]
- I2852: Verify that 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' [Added]
- I2922: Verify that 'Audit Credential Validation' is set to 'Success and Failure' [Added]
- I2923: Verify that 'Audit Security Group Management' includes 'Success' [Added]
- I2924: Verify that 'Audit User Account Management' is set to 'Success and Failure' [Added]
- I2925: Verify that 'Audit PNP Activity' is set to include 'Success' [Added]
- I2926: Verify that 'Audit Process Creation' is set to include 'Success' [Added]
- I2927: Verify that 'Audit Account Lockout' includes 'Success and Failure' [Added]
- I2928: Verify that 'Audit Group Membership' is set to include 'Success' [Added]
- I2929: Verify that 'Audit Logoff' is set to include 'Success' [Added]
- I2930: Verify that 'Audit Logon' is set to 'Success and Failure' [Added]
- I2931: Verify that 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' [Added]
- I2932: Verify that 'Audit Special Logon' is set to include 'Success' [Added]
- I2933: Verify that 'Audit Other Object Access Events' is set to 'Success and Failure' [Added]
- I2934: Verify that 'Audit Removable Storage' is set to 'Success and Failure' [Added]
- I2935: Verify that 'Audit Audit Policy Change' is set to include 'Success' [Added]
- I2936: Verify that 'Audit Authentication Policy Change' is set to include 'Success' [Added]
- I2937: Verify that 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' [Added]
- I2938: Verify that 'Audit Sensitive Privilege Use' is set to 'Success and Failure' [Added]
- I2939: Verify that 'Audit Security State Change' is set to include 'Success' [Added]
- I2940: Verify that 'Audit Security System Extension' includes 'Success' [Added]
- I2941: Verify that 'Audit System Integrity' is set to 'Success and Failure' [Added]
- I2957: Verify that 'Include command line in process creation events' is set to 'Enabled' [Added]
T5785: Verify that secure channel traffic is encrypted and signed (Azure Windows Member Server) [Added]
- P3504: Lack of Encryption and Signing for Secure Channel Traffic (Azure Windows Member Server) [Added]
- I2855: Verify that 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' [Added]
- I2856: Verify that 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' [Added]
- I2857: Verify that 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' [Added]
- I2858: Verify that 'Domain member: Disable machine account password changes' is set to 'Disabled' [Added]
- I2859: Verify that the machine account password age is set correctly [Added]
- I2901: Verify that Windows Firewall: Domain: Firewall state is set to On (recommended) [Added]
- I2902: Verify that Windows Firewall: Domain: Inbound connections is set to Block (default) [Added]
- I2903: Verify that Windows Firewall: Domain: Outbound connections is set to Allow (default) [Added]
- I2904: Verify that Windows Firewall logging is configured correctly [Added]
- I2905: Verify that Windows Firewall's logging size limit is set correctly [Added]
- I2906: Verify that Windows Firewall is logging dropped packets [Added]
- I2907: Verify that Windows Firewall logs successful connections [Added]
T5786: Verify the inactivity limit for logon sessions (Azure Windows Member Server) [Added]
- P3505: Lack of Inactivity Lock Screen Policy (Azure Windows Member Server) [Added]
- I2860: Verify that the 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' [Added]
- I2861: Test the interactive logon message configuration [Added]
- I2862: Test the interactive logon message title configuration [Added]
- I2863: Verify that the interactive logon prompts users to change passwords before expiration [Added]
- I3007: Verify that 'Do not delete temp folders upon exit' is set to 'Disabled' [Added]
- I3008: Verify that 'Do not use temporary folders per session' is set to 'Disabled' [Added]
T5787: Verify that SMB packet signing is required (Azure Windows Member Server) [Added]
- P3507: Lack of SMB Packet Security (Azure Windows Member Server) [Added]
- I2864: Verify that Microsoft network client: Digitally sign communications (always) is set to Enabled [Added]
- I2865: Verify that Microsoft network client: Digitally sign communications (if server agrees) is set to Enabled [Added]
- I2866: Verify that the Microsoft network client: Send unencrypted password to third-party SMB servers is set to Disabled [Added]
- I2867: Verify Microsoft network server session timeout settings [Added]
- I2868: Verify that Microsoft network server: Digitally sign communications (always) is set to Enabled [Added]
- I2869: Verify that Microsoft network server: Digitally sign communications (if client agrees) is set to Enabled [Added]
- I2870: Verify that 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' [Added]
- I2871: Verify that the Microsoft network server's SPN target name validation level is set correctly [Added]
- I2872: Verify that 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' [Added]
- I2873: Verify that 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only) [Added]
- I2874: Verify that 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only) [Added]
- I2875: Verify that 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' [Added]
- I2876: Test that network access for named pipes is configured correctly [Added]
- I2877: Verify that 'Network access: Remotely accessible registry paths' is configured [Added]
- I2878: Verify that 'Network access: Remotely accessible registry paths and sub-paths' is configured [Added]
- I2879: Verify that 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' [Added]
- I2880: Test that network access restrictions for remote calls to SAM are properly configured [Added]
- I2881: Verify that network access shares are not accessible anonymously [Added]
- I2882: Verify that the network access sharing and security model for local accounts is set to classic [Added]
- I2883: Verify that 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' [Added]
- I2884: Verify that 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' [Added]
- I2885: Verify that 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' [Added]
- I2886: Verify that 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1,..... [Added]
- I2887: Verify that 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' [Added]
- I2888: Verify that 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' [Added]
- I2889: Verify that the network security settings are configured correctly [Added]
- I2890: Verify that the network security settings require NTLMv2 session security [Added]
- I2891: Verify that the network security settings require NTLMv2 session security [Added]
- I2953: Verify that 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' [Added]
- I2954: Verify that 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' [Added]
- I2955: Verify that 'Hardened UNC Paths' is set to 'Enabled' with required settings [Added]
- I3003: Verify that 'Do not allow drive redirection' is set to 'Enabled' [Added]
T5788: Test the Windows Firewall settings for network traffic filtering (Azure Windows Member Server) [Added]
- P3506: Lack of Network Traffic Filtering (Azure Windows Member Server) [Added]
- I2908: Verify that Windows Firewall: Private: Firewall state is set to On (recommended) [Added]
- I2909: Verify that Windows Firewall: Private: Inbound connections is set to Block (default) [Added]
- I2910: Verify that 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' [Added]
- I2911: Verify that Windows Firewall logging is configured correctly [Added]
- I2912: Verify that Windows Firewall's logging size limit is set correctly [Added]
- I2913: Verify that Windows Firewall is logging dropped packets [Added]
- I2914: Verify that Windows Firewall logs successful connections [Added]
- I2915: Verify that Windows Firewall: Public: Firewall state is set to On (recommended) [Added]
- I2916: Verify that Windows Firewall: Public: Inbound connections is set to Block (default) [Added]
- I2917: Verify that Windows Firewall: Public: Outbound connections is set to Allow (default) [Added]
- I2918: Verify that Windows Firewall logging is configured correctly [Added]
- I2919: Verify Windows Firewall settings for logging size limit [Added]
- I2920: Verify that Windows Firewall is logging dropped packets [Added]
- I2921: Verify that Windows Firewall logs successful connections [Added]
T5789: Verify the configuration of SMBv1 client driver service settings (Azure Windows Member Server) [Added]
- P3507: Lack of SMB Packet Security (Azure Windows Member Server) [Added]
- I2942: Verify that 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' [Added]
- I2943: Verify that 'Configure SMB v1 server' is set to 'Disabled' [Added]
- I2944: Verify that 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' [Added]
- I2945: Verify that 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' [Added]
- I2947: Verify that MSS: (DisableIPSourceRouting IPv6) IP source routing protection level is set to Enabled: Highest protection [Added]
- I2948: Verify that MSS: (DisableIPSourceRouting) IP source routing protection level is set to Enabled: Highest protection [Added]
- I2949: Verify that 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' [Added]
- I2950: Verify that the computer ignores NetBIOS name release requests [Added]
T5790: Verify the recommended state for Attack Surface Reduction rules (Azure Windows Member Server) [Added]
- P3508: Excessive Attack Surface Exposure (Azure Windows Member Server) [Added]
- I2951: Verify that 'Turn off multicast name resolution' is set to 'Enabled' [Added]
- I2956: Test that 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: ..... [Added]
- I2987: Verify that 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' [Added]
- I2988: Verify that 'Turn off heap termination on corruption' is set to 'Disabled' [Added]
- I2989: Verify that 'Turn off shell protocol protected mode' is set to 'Disabled' [Added]
- I2994: Verify that 'Configure Attack Surface Reduction rules' is set to 'Enabled' [Added]
- I2995: Verify that the Attack Surface Reduction rules are configured [Added]
T5791: Verify the security settings for Remote Desktop Connection (Azure Windows Member Server) [Added]
- P3509: Credential Exposure via Remote Desktop Connection (Azure Windows Member Server) [Added]
- I2958: Verify that 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' [Added]
- I2959: Verify that Remote host allows delegation of non-exportable credentials is set to Enabled [Added]
- I2976: Verify that 'Do not display the password reveal button' is set to 'Enabled' [Added]
- I2977: Verify that 'Enumerate administrator accounts on elevation' is set to 'Disabled' [Added]
- I3002: Verify that 'Do not allow passwords to be saved' is set to 'Enabled' [Added]
- I3022: Verify that 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' [Added]
T5792: Verify that Virtualization Based Security is enabled (Azure Windows Member Server) [Added]
- P3510: Firmware Vulnerabilities and Unauthorized Access (Azure Windows Member Server) [Added]
- I2960: Verify that 'Turn On Virtualization Based Security' is set to 'Enabled' [Added]
- I2961: Verify that 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' [Added]
- I2962: Verify that 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock' [Added]
- I2963: Verify that 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' [Added]
- I2964: Test that 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only) [Added]
- I2965: Verify that 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' [Added]
T5793: Verify the implementation of Driver Policy (Azure Windows Member Server) [Added]
- P3511: Lack of Driver Policy (Azure Windows Member Server) [Added]
- I2966: Verify that 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' [Added]
- I2967: Verify that 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' [Added]
T5794: Verify Remote Desktop Services security settings (Azure Windows Member Server) [Added]
- P3512: Unsecured Remote Procedure Call Communications (Azure Windows Member Server) [Added]
- I2970: Verify that 'Configure Offer Remote Assistance' is set to 'Disabled' [Added]
- I2971: Verify that 'Configure Solicited Remote Assistance' is set to 'Disabled' [Added]
- I2972: Verify that 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only) [Added]
- I3004: Verify that 'Always prompt for password upon connection' is set to 'Enabled' [Added]
- I3005: Verify that 'Require secure RPC communication' is set to 'Enabled' [Added]
- I3006: Verify that 'Set client connection encryption level' is set to 'Enabled: High Level' [Added]
T5795: Verify the Event Log behavior settings (Azure Windows Member Server) [Added]
- P3513: Improper Event Log Configuration (Azure Windows Member Server) [Added]
- I2979: Verify Application Control Event Log behavior when the log file reaches its maximum size [Added]
- I2980: Verify that the maximum log file size is set to 32,768 KB or greater [Added]
- I2981: Verify that Security: Control Event Log behavior is set to Disabled [Added]
- I2982: Verify that the maximum log file size is set to Enabled: 196,608 or greater [Added]
- I2983: Verify that Control Event Log behavior is set to Disabled [Added]
- I2984: Verify that the maximum log file size is set to 32,768 KB or greater [Added]
- I2985: Verify System Control Event Log behavior when the log file reaches its maximum size is set to Disabled [Added]
- I2986: Verify that the maximum log file size is set to 32,768 or greater [Added]
- I3015: Verify that 'Turn on PowerShell Script Block Logging' is set to 'Enabled' [Added]
T5796: Test the policy setting for Potentially Unwanted Applications (Azure Windows Member Server) [Added]
- P3514: Potentially Unwanted Application Vulnerability (Azure Windows Member Server) [Added]
- I2991: Test that 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' [Added]
- I2992: Verify that 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' [Added]
- I3011: Verify that Windows Defender SmartScreen is configured correctly [Added]
T5797: Verify the configuration for Microsoft Defender Antivirus Cloud Protection Service (Azure Windows Member Server) [Added]
- P3515: Improper Configuration of Microsoft Defender Antivirus Cloud Protection Service (Azure Windows Member Server) [Added]
- I2993: Verify that 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' [Added]
- I3009: Verify that 'Prevent downloading of enclosures' is set to 'Enabled' [Added]
- I3016: Verify that 'Turn on PowerShell Transcription' is set to 'Disabled' [Added]
T5798: Verify that email scanning is enabled (Azure Windows Member Server) [Added]
- P3516: Unscanned Scripts and Email Attachments (Azure Windows Member Server) [Added]
- I2997: Verify that 'Scan all downloaded files and attachments' is set to 'Enabled' [Added]
- I2998: Verify that 'Turn off real-time protection' is set to 'Disabled' [Added]
- I2999: Verify that 'Turn on behavior monitoring' is set to 'Enabled' [Added]
- I3000: Verify that 'Turn on script scanning' is set to 'Enabled' [Added]
- I3001: Verify that e-mail scanning is set to Enabled [Added]
T5799: Enforce strong password policies for user accounts (Azure Windows Member Server) [Added]
- P3500: Weak Password Policies (Azure Windows Member Server) [Added]
- I2582: (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' [Added]
- I2583: (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' [Added]
- I2584: (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' [Added]
- I2585: (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' [Added]
- I2586: (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' [Added]
- I2587: (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' [Added]
T5800: Implement strict user rights management (Azure Windows Member Server) [Added]
- P3501: Inadequate User Rights Management (Azure Windows Member Server) [Added]
- I2588: (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' [Added]
- I2589: (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only) [Added]
- I2590: (L1) Ensure 'Act as part of the operating system' is set to 'No One' [Added]
- I2591: (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2592: (L1) Ensure 'Allow log on locally' is set to 'Administrators' [Added]
- I2593: (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only) [Added]
- I2594: (L1) Ensure 'Back up files and directories' is set to 'Administrators, Backup Operators' [Added]
- I2595: (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' [Added]
- I2596: (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' [Added]
- I2597: (L1) Ensure 'Create a pagefile' is set to 'Administrators' [Added]
- I2598: (L1) Ensure 'Create a token object' is set to 'No One' [Added]
- I2599: (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I2600: (L1) Ensure 'Create permanent shared objects' is set to 'No One' [Added]
- I2601: (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only) [Added]
- I2602: (L1) Ensure 'Debug programs' is set to 'Administrators' [Added]
- I2603: (L1) Ensure 'Deny access to this computer from the network' to include 'Guests' [Added]
- I2604: (L1) Ensure 'Deny log on as a batch job' to include 'Guests' [Added]
- I2605: (L1) Ensure 'Deny log on as a service' to include 'Guests' [Added]
- I2606: (L1) Ensure 'Deny log on locally' to include 'Guests' [Added]
- I2607: (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' [Added]
- I2609: (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' [Added]
- I2610: (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2611: (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, ALL SERVICE and 'IIS_IUSRS' (MS only) [Added]
- I2612: (L1) Ensure 'Increase scheduling priority' is set to 'Administrators' [Added]
- I2613: (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' [Added]
- I2614: (L1) Ensure 'Lock pages in memory' is set to 'No One' [Added]
- I2615: (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only) [Added]
- I2616: (L1) Ensure 'Modify an object label' is set to 'No One' [Added]
- I2617: (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' [Added]
- I2618: (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' [Added]
- I2619: (L1) Ensure 'Profile single process' is set to 'Administrators' [Added]
- I2620: (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' [Added]
- I2621: (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I2622: (L1) Ensure 'Restore files and directories' is set to 'Administrators, Backup Operators' [Added]
- I2623: (L1) Ensure 'Shut down the system' is set to 'Administrators, Backup Operators' [Added]
- I2624: (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' [Added]
- I2632: (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' [Added]
- I2633: (L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' [Added]
- I2671: (L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' [Added]
- I2725: (L1) Ensure 'WDigest Authentication' is set to 'Disabled' [Added]
- I2731: (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' [Added]
- I2748: (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' [Added]
- I2754: (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' [Added]
- I2757: (L1) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Send required diagnostic data' [Added]
- I2775: (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' [Added]
- I2789: (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' [Added]
- I2791: (L1) Ensure 'Allow user control over installs' is set to 'Disabled' [Added]
- I2792: (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' [Added]
- I2793: (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' [Added]
- I2796: (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' [Added]
- I2797: (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I2798: (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' [Added]
- I2799: (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' [Added]
- I2800: (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I2802: (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled' [Added]
T5801: Enhance security posture of Active Directory environment (Azure Windows Member Server) [Added]
- P3502: Unauthorized Access and Impersonation Risks (Azure Windows Member Server) [Added]
- I2608: (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only) [Added]
- I2625: (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' [Added]
- I2626: (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only) [Added]
- I2627: (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' [Added]
- I2628: (L1) Configure 'Accounts: Rename administrator account' [Added]
- I2629: (L1) Configure 'Accounts: Rename guest account' [Added]
- I2672: (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' [Added]
- I2673: (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to ........ [Added]
- I2674: (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' [Added]
- I2675: (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' [Added]
- I2676: (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' [Added]
- I2677: (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' [Added]
- I2678: (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' [Added]
- I2679: (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' [Added]
- I2747: (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' [Added]
- I2752: (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' [Added]
- I2753: (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' [Added]
- I2769: (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' [Added]
T5802: Implement detailed auditing for security events (Azure Windows Member Server) [Added]
- P3503: Lack of Detailed Auditing for Security Events (Azure Windows Member Server) [Added]
- I2630: (L1) Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled' [Added]
- I2631: (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' [Added]
- I2701: (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' [Added]
- I2702: (L1) Ensure 'Audit Security Group Management' is set to include 'Success' [Added]
- I2703: (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' [Added]
- I2704: (L1) Ensure 'Audit PNP Activity' is set to include 'Success' [Added]
- I2705: (L1) Ensure 'Audit Process Creation' is set to include 'Success' [Added]
- I2706: (L1) Ensure 'Audit Account Lockout' is set to include 'Success and Failure' [Added]
- I2707: (L1) Ensure 'Audit Group Membership' is set to include 'Success' [Added]
- I2708: (L1) Ensure 'Audit Logoff' is set to include 'Success' [Added]
- I2709: (L1) Ensure 'Audit Logon' is set to 'Success and Failure' [Added]
- I2710: (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' [Added]
- I2711: (L1) Ensure 'Audit Special Logon' is set to include 'Success' [Added]
- I2712: (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' [Added]
- I2713: (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' [Added]
- I2714: (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' [Added]
- I2715: (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' [Added]
- I2716: (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' [Added]
- I2717: (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' [Added]
- I2718: (L1) Ensure 'Audit Security State Change' is set to include 'Success' [Added]
- I2719: (L1) Ensure 'Audit Security System Extension' is set to include 'Success' [Added]
- I2720: (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' [Added]
- I2736: (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' [Added]
T5803: Configure secure channel traffic encryption and signing (Azure Windows Member Server) [Added]
- P3504: Lack of Encryption and Signing for Secure Channel Traffic (Azure Windows Member Server) [Added]
- I2634: (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' [Added]
- I2635: (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' [Added]
- I2636: (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' [Added]
- I2637: (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' [Added]
- I2638: (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' [Added]
- I2680: (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' [Added]
- I2681: (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' [Added]
- I2682: (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' [Added]
- I2683: (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' [Added]
- I2684: (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I2685: (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' [Added]
- I2686: (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' [Added]
T5804: Implement an inactivity lock screen policy for Windows systems (Azure Windows Member Server) [Added]
- P3505: Lack of Inactivity Lock Screen Policy (Azure Windows Member Server) [Added]
- I2639: (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' [Added]
- I2640: (L1) Configure 'Interactive logon: Message text for users attempting to log on' [Added]
- I2641: (L1) Configure 'Interactive logon: Message title for users attempting to log on' [Added]
- I2642: (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' [Added]
- I2786: (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' [Added]
- I2787: (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' [Added]
T5805: Enable SMB packet signing for secure data transmission (Azure Windows Member Server) [Added]
- P3507: Lack of SMB Packet Security (Azure Windows Member Server) [Added]
- I2643: (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' [Added]
- I2644: (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' [Added]
- I2645: (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' [Added]
- I2646: (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' [Added]
- I2647: (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' [Added]
- I2648: (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' [Added]
- I2649: (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' [Added]
- I2650: (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only) [Added]
- I2651: (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' [Added]
- I2652: (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only) [Added]
- I2653: (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only) [Added]
- I2654: (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' [Added]
- I2655: (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only) [Added]
- I2656: (L1) Configure 'Network access: Remotely accessible registry paths' is configured [Added]
- I2657: (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured [Added]
- I2658: (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' [Added]
- I2659: (L1) Ensure Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow (MS only) [Added]
- I2660: (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' [Added]
- I2661: (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' [Added]
- I2662: (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' [Added]
- I2663: (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' [Added]
- I2664: (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' [Added]
- I2665: (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1,...' [Added]
- I2666: (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' [Added]
- I2667: (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' [Added]
- I2668: (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher [Added]
- I2669: (L1) Ensure 'Network security: Minimum session security for NTLM SSP based clients' is set to ...... [Added]
- I2670: (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to ......... [Added]
- I2732: (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' [Added]
- I2733: (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' [Added]
- I2734: (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for ..... [Added]
- I2782: (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' [Added]
T5806: Implement Windows Firewall with Advanced Security (Azure Windows Member Server) [Added]
- P3506: Lack of Network Traffic Filtering (Azure Windows Member Server) [Added]
- I2687: (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' [Added]
- I2688: (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' [Added]
- I2689: (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' [Added]
- I2690: (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' [Added]
- I2691: (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I2692: (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' [Added]
- I2693: (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' [Added]
- I2694: (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' [Added]
- I2695: (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' [Added]
- I2696: (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' [Added]
- I2697: (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' [Added]
- I2698: (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I2699: (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' [Added]
- I2700: (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' [Added]
T5807: Disable outdated SMBv1 protocol (Azure Windows Member Server) [Added]
- P3507: Lack of SMB Packet Security (Azure Windows Member Server) [Added]
- I2721: (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' [Added]
- I2722: (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' [Added]
- I2723: (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' [Added]
- I2724: (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' [Added]
- I2726: (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to ....... [Added]
- I2727: (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to ..... [Added]
- I2728: (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' [Added]
- I2729: (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except ...... [Added]
T5808: Implement Attack Surface Reduction Rules (Azure Windows Member Server) [Added]
- P3508: Excessive Attack Surface Exposure (Azure Windows Member Server) [Added]
- I2730: (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' [Added]
- I2735: (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: ..... [Added]
- I2766: (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' [Added]
- I2767: (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' [Added]
- I2768: (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' [Added]
- I2773: (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' [Added]
- I2774: (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured [Added]
T5809: Enable Windows Defender Remote Credential Guard (Azure Windows Member Server) [Added]
- P3509: Credential Exposure via Remote Desktop Connection (Azure Windows Member Server) [Added]
- I2737: (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' [Added]
- I2738: (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' [Added]
- I2755: (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' [Added]
- I2756: (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' [Added]
- I2781: (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' [Added]
- I2801: (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' [Added]
T5810: Enhance security posture with Virtualization Based Security (Azure Windows Member Server) [Added]
- P3510: Firmware Vulnerabilities and Unauthorized Access (Azure Windows Member Server) [Added]
- I2739: (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' [Added]
- I2740: (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' [Added]
- I2741: (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' [Added]
- I2742: (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' [Added]
- I2743: (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only) [Added]
- I2744: (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' [Added]
T5811: Implement Driver Policy (Azure Windows Member Server) [Added]
- P3511: Lack of Driver Policy (Azure Windows Member Server) [Added]
- I2745: (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' [Added]
- I2746: (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' [Added]
T5812: Enhance security of Remote Procedure Call communications (Azure Windows Member Server) [Added]
- P3512: Unsecured Remote Procedure Call Communications (Azure Windows Member Server) [Added]
- I2749: (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' [Added]
- I2750: (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' [Added]
- I2751: (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only) [Added]
- I2783: (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' [Added]
- I2784: (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' [Added]
- I2785: (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' [Added]
T5813: Configure Event Log Settings for Data Integrity (Azure Windows Member Server) [Added]
- P3513: Improper Event Log Configuration (Azure Windows Member Server) [Added]
- I2758: (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I2759: (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I2760: (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I2761: (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' [Added]
- I2762: (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I2763: (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I2764: (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I2765: (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I2794: (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' [Added]
T5814: Block potentially unwanted applications with Microsoft Defender Antivirus (Azure Windows Member Server) [Added]
- P3514: Potentially Unwanted Application Vulnerability (Azure Windows Member Server) [Added]
- I2770: (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' [Added]
- I2771: (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' [Added]
- I2790: (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' [Added]
T5815: Configure Microsoft Defender Antivirus Cloud Protection Service (Azure Windows Member Server) [Added]
- P3515: Improper Configuration of Microsoft Defender Antivirus Cloud Protection Service (Azure Windows Member Server) [Added]
- I2772: (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' [Added]
- I2788: (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' [Added]
- I2795: (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' [Added]
T5816: Scan scripts and email attachments for threats (Azure Windows Member Server) [Added]
- P3516: Unscanned Scripts and Email Attachments (Azure Windows Member Server) [Added]
- I2776: (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' [Added]
- I2777: (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' [Added]
- I2778: (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' [Added]
- I2779: (L1) Ensure 'Turn on script scanning' is set to 'Enabled' [Added]
- I2780: (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' [Added]
T5817: Verify the policy settings for Windows security features (Azure Windows Member Server) [Added]
- P3517: Lack of policy settings for Windows security features (Azure Windows Member Server) [Added]
- I3031: Verify that 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' [Added]
- I3032: Verify that the default permissions of internal system objects are strengthened [Added]
- I3033: Verify that 'Allow users to enable online speech recognition services' is set to 'Disabled' [Added]
- I3034: Verify that the registry policy processing is configured correctly [Added]
- I3035: Verify that the registry policy processing is configured correctly [Added]
- I3036: Verify that 'Continue experiences on this device' is set to 'Disabled' [Added]
- I3037: Verify that 'Turn off background refresh of Group Policy' is set to 'Disabled' [Added]
T5818: Enforce policy settings for Windows security features (Azure Windows Member Server) [Added]
- P3517: Lack of policy settings for Windows security features (Azure Windows Member Server) [Added]
- I3024: Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' [Added]
- I3025: Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' [Added]
- I3026: Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' [Added]
- I3027: Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' [Added]
- I3028: Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' [Added]
- I3029: Ensure 'Continue experiences on this device' is set to 'Disabled' [Added]
- I3030: Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' [Added]
T5819: Configure Kafka Brokers to Use TLS for Data in Transit [Added]
- P3518: Lack of Encryption for Data in Transit (Apache Kafka) [Added]
T5820: Set up Kafka to authenticate all connections [Added]
- P3519: Lack of Authentication in Kafka Connections (Apache Kafka) [Added]
T5821: Enable TLS and SASL Authentication for ZooKeeper [Added]
- P3520: Lack of TLS and SASL Authentication (ZooKeeper) [Added]
T5822: Deploy a Consistent, Secure Configuration Across All Brokers [Added]
- P3521: Inconsistent and Insecure Broker Configuration (Distributed Messaging Systems) [Added]
T5823: Enable Detailed Logging and Auditing in Kafka [Added]
- P3522: Lack of Detailed Logging and Auditing (Kafka) [Added]
T5824: Deploy Kafka in a Segmented Network Zone [Added]
- P3523: Network Segmentation Weakness in Kafka Deployment [Added]
T5825: Implement Encryption for Kafka Log and Data Directories [Added]
- P3524: Lack of Encryption for Kafka Log and Data Directories (Apache Kafka) [Added]
T5826: Leverage Kafka’s Quota Features [Added]
- P3525: Lack of Resource Quotas (Apache Kafka) [Added]
T5827: Protect Sensitive Configuration Values [Added]
- P3526: Exposure of Sensitive Configuration Values (General Software) [Added]
T5828: Enable Transport Layer Security (TLS) for gRPC Communications [Added]
- P3527: Lack of Transport Layer Security (TLS) in gRPC Communications (gRPC) [Added]
T5829: Use Mutual TLS for Authentication [Added]
- P3528: Lack of Mutual TLS Authentication (gRPC Services) [Added]
T5830: Configure gRPC to use only modern TLS versions [Added]
- P3529: Use of Outdated TLS Versions and Weak Cipher Suites (gRPC) [Added]
T5831: Turn off gRPC server reflection in production [Added]
- P3530: Exposed gRPC Server Reflection (gRPC Server) [Added]
T5832: Design Idempotent Methods for Critical Operations [Added]
- P3531: Replay Attack Vulnerability in Critical Operations (gRPC Services) [Added]
T5833: Enforce Rate Limiting on gRPC Endpoints [Added]
- P3532: Lack of Rate Limiting on gRPC Endpoints (gRPC Services) [Added]
T5834: Tune gRPC server settings to constrain resource usage [Added]
- P3533: Resource Exhaustion Vulnerability (gRPC Server) [Added]
T5835: Maintain Secure Deployment Configurations [Added]
- P3534: Misconfigured Deployment Settings (gRPC) [Added]
T5836: Deploy gRPC services in a segmented network zone with strict firewall rules [Added]
- P3535: Improper Network Segmentation and Access Control (gRPC Services) [Added]
T5837: Enable detailed logging on the gRPC server [Added]
- P3536: Lack of Detailed Logging (gRPC Server) [Added]
T5838: Set up monitoring dashboards and automated alerts [Added]
- P3537: Lack of Real-Time Monitoring and Alerting (gRPC) [Added]
T5839: Keep gRPC server application and OS up to date with security patches [Added]
- P3538: Outdated Software Vulnerabilities (gRPC Server) [Added]
T5840: Enforce strong password policies for user accounts (Azure Windows Domain Controller) [Added]
- P3539: Weak Password Policies (Azure Windows Domain Controller) [Added]
- I3043: (L1 - DC) Ensure 'Enforce password history' is set to '24 or more password(s)' [Added]
- I3044: (L1 - DC) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' [Added]
- I3045: (L1 - DC) Ensure 'Minimum password age' is set to '1 or more day(s)' [Added]
- I3046: (L1 - DC) Ensure 'Minimum password length' is set to '14 or more character(s)' [Added]
- I3047: (L1 - DC) Ensure 'Password must meet complexity requirements' is set to 'Enabled' [Added]
- I3048: (L1 - DC) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' [Added]
T5841: Implement strict user rights for sensitive privileges (Azure Windows Domain Controller) [Added]
- P3540: Excessive User Privileges (Azure Windows Domain Controller) [Added]
- I3049: (L1 - DC) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' [Added]
- I3050: (L1 - DC) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, .....' (DC only) [Added]
- I3051: (L1 - DC) Ensure 'Act as part of the operating system' is set to 'No One' [Added]
- I3052: (L1 - DC) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only) [Added]
- I3053: (L1 - DC) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3054: (L1 - DC) Ensure 'Allow log on locally' is set to 'Administrators' [Added]
- I3055: (L1 - DC) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only) [Added]
- I3056: (L1 - DC) Ensure 'Back up files and directories' is set to 'Administrators, Backup Operators' [Added]
- I3057: (L1 - DC) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' [Added]
- I3058: (L1 - DC) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' [Added]
- I3059: (L1 - DC) Ensure 'Create a pagefile' is set to 'Administrators' [Added]
- I3060: (L1 - DC) Ensure 'Create a token object' is set to 'No One' [Added]
- I3061: (L1 - DC) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I3062: (L1 - DC) Ensure 'Create permanent shared objects' is set to 'No One' [Added]
- I3063: (L1 - DC) Ensure 'Create symbolic links' is set to 'Administrators' (DC only) [Added]
- I3064: (L1 - DC) Ensure 'Debug programs' is set to 'Administrators' [Added]
- I3065: (L1 - DC) Ensure 'Deny access to this computer from the network' to include 'Guests' [Added]
- I3066: (L1 - DC) Ensure 'Deny log on as a batch job' to include 'Guests' [Added]
- I3067: (L1 - DC) Ensure 'Deny log on as a service' to include 'Guests' [Added]
- I3068: (L1 - DC) Ensure 'Deny log on locally' to include 'Guests' [Added]
- I3069: (L1 - DC) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' [Added]
- I3070: (L1 - DC) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only) [Added]
- I3071: (L1 - DC) Ensure 'Force shutdown from a remote system' is set to 'Administrators' [Added]
- I3072: (L1 - DC) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3073: (L1 - DC) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only) [Added]
- I3074: (L1 - DC) Ensure 'Increase scheduling priority' is set to 'Administrators' [Added]
- I3075: (L1 - DC) Ensure 'Load and unload device drivers' is set to 'Administrators' [Added]
- I3076: (L1 - DC) Ensure 'Lock pages in memory' is set to 'No One' [Added]
- I3077: (L1 - DC) Ensure 'Manage auditing and security log' is set to 'Administrators' and 'Exchange Servers' (DC only) [Added]
- I3078: (L1 - DC) Ensure 'Modify an object label' is set to 'No One' [Added]
- I3079: (L1 - DC) Ensure 'Modify firmware environment values' is set to 'Administrators' [Added]
- I3080: (L1 - DC) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' [Added]
- I3081: (L1 - DC) Ensure 'Profile single process' is set to 'Administrators' [Added]
- I3082: (L1 - DC) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' [Added]
- I3083: (L1 - DC) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3084: (L1 - DC) Ensure 'Restore files and directories' is set to 'Administrators, Backup Operators' [Added]
- I3085: (L1 - DC) Ensure 'Shut down the system' is set to 'Administrators, Backup Operators' [Added]
- I3086: (L1 - DC) Ensure 'Synchronize directory service data' is set to 'No One' (DC only) [Added]
- I3087: (L1 - DC) Ensure 'Take ownership of files or other objects' is set to 'Administrators' [Added]
T5842: Restrict unauthorized Microsoft account creation (Azure Windows Domain Controller) [Added]
- P3541: Unauthorized Microsoft Account Creation (Azure Windows Domain Controller) [Added]
- I3088: (L1 - DC) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' [Added]
- I3089: (L1 - DC) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' [Added]
- I3090: (L1 - DC) Configure 'Accounts: Rename administrator account' [Added]
- I3091: (L1 - DC) Configure 'Accounts: Rename guest account' [Added]
T5843: Enhance security monitoring with precise auditing capabilities (Azure Windows Domain Controller) [Added]
- P3542: Inadequate Security Monitoring Due to Insufficient Auditing Capabilities (Azure Windows Domain Controller) [Added]
- I3092: (L1 - DC) Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled' [Added]
- I3093: (L1 - DC) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' [Added]
T5844: Restrict access to removable NTFS media (Azure Windows Domain Controller) [Added]
- P3543: Unauthorized Access to Removable NTFS Media (Azure Windows Domain Controller) [Added]
- I3094: (L1 - DC) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators' [Added]
- I3095: (L1 - DC) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' [Added]
T5845: Ensure secure LDAP communications with signing requirements (Azure Windows Domain Controller) [Added]
- P3544: Unsigned LDAP Communications (Azure Windows Domain Controller) [Added]
- I3096: (L1 - DC) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only) [Added]
- I3097: (L1 - DC) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only) [Added]
- I3098: (L1 - DC) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only) [Added]
- I3099: (L1 - DC) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only) [Added]
- I3100: (L1 - DC) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only) [Added]
T5846: Ensure secure channel traffic is signed and encrypted (Group Policy Management) [Added]
- P3545: Lack of Encryption and Signing in Secure Channel Traffic (Azure Windows Domain Controller) [Added]
- I3101: (L1 - DC) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' [Added]
- I3102: (L1 - DC) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' [Added]
- I3103: (L1 - DC) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' [Added]
- I3104: (L1 - DC) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' [Added]
- I3105: (L1 - DC) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' [Added]
T5847: Implement an inactivity lock screen policy (Azure Windows Domain Controller) [Added]
- P3546: Lack of Inactivity Lock Screen Policy (Azure Windows Domain Controller) [Added]
- I3106: (L1 - DC) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' [Added]
- I3107: (L1 - DC) Configure 'Interactive logon: Message text for users attempting to log on' [Added]
- I3108: (L1 - DC) Configure 'Interactive logon: Message title for users attempting to log on' [Added]
- I3109: (L1 - DC) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' [Added]
T5848: Enhance SMB Security by Enabling Packet Signing (Azure Windows Domain Controller) [Added]
- P3547: Lack of SMB Packet Signing and Use of Plaintext Passwords (Azure Windows Domain Controller) [Added]
- I3110: (L1 - DC) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' [Added]
- I3111: (L1 - DC) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' [Added]
- I3112: (L1 - DC) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' [Added]
T5849: Configure SMB session security settings (Azure Windows Domain Controller) [Added]
- P3548: Improper Session Management and Lack of Packet Signing (Azure Windows Domain Controller) [Added]
- I3113: (L1 - DC) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' [Added]
- I3114: (L1 - DC) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' [Added]
- I3115: (L1 - DC) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' [Added]
- I3116: (L1 - DC) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' [Added]
T5850: Restrict anonymous access to enhance network security (Azure Windows Domain Controller) [Added]
- P3549: Anonymous Access to Network Resources (Azure Windows Domain Controller) [Added]
- I3117: (L1 - DC) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' [Added]
- I3118: (L1 - DC) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' [Added]
- I3119: (L1 - DC) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only) [Added]
- I3120: (L1 - DC) Configure 'Network access: Remotely accessible registry paths' is configured [Added]
- I3121: (L1 - DC) Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured [Added]
- I3122: (L1 - DC) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' [Added]
- I3123: (L1 - DC) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' [Added]
- I3124: (L1 - DC) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - ..... [Added]
T5851: Enhance NTLM Authentication Settings for Windows Security (Azure Windows Domain Controller) [Added]
- P3550: Weak NTLM Authentication Protocols (Azure Windows Domain Controller) [Added]
- I3125: (L1 - DC) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' [Added]
- I3126: (L1 - DC) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' [Added]
- I3127: (L1 - DC) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' [Added]
- I3128: (L1 - DC) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, ..... [Added]
- I3129: (L1 - DC) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' [Added]
- I3130: (L1 - DC) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' [Added]
- I3131: (L1 - DC) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher [Added]
- I3132: (L1 - DC) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to ..... [Added]
- I3133: (L1 - DC) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to ..... [Added]
T5852: Restrict shutdown capabilities to authenticated users only (Azure Windows Domain Controller) [Added]
- P3551: Unauthorized System Shutdown (Azure Windows Domain Controller) [Added]
- I3134: (L1 - DC) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled' [Added]
T5853: Enable case sensitivity in Windows environment (Azure Windows Domain Controller) [Added]
- P3552: Case Insensitivity in File Systems (Azure Windows Domain Controller) [Added]
- I3135: (L1 - DC) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' [Added]
- I3136: (L1 - DC) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' [Added]
T5854: Enhance security posture with User Account Control settings (Azure Windows Domain Controller) [Added]
- P3553: Insufficient User Privilege Management (Azure Windows Domain Controller) [Added]
- I3137: (L1 - DC) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' [Added]
- I3138: (L1 - DC) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to ..... [Added]
- I3139: (L1 - DC) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to ..... [Added]
- I3140: (L1 - DC) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' [Added]
- I3141: (L1 - DC) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' [Added]
- I3142: (L1 - DC) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' [Added]
- I3143: (L1 - DC) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' [Added]
- I3144: (L1 - DC) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' [Added]
T5855: Disable print job spooling service (Azure Windows Domain Controller) [Added]
- P3554: Unauthorized Access to Print Jobs (Azure Windows Domain Controller) [Added]
- I3145: (L1 - DC) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only) [Added]
T5856: Enable logging for network traffic in Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3555: Lack of Network Traffic Visibility (Azure Windows Domain Controller) [Added]
- I3146: (L1 - DC) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' [Added]
- I3147: (L1 - DC) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' [Added]
- I3148: (L1 - DC) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' [Added]
- I3149: (L1 - DC) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' [Added]
- I3150: (L1 - DC) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I3151: (L1 - DC) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' [Added]
- I3152: (L1 - DC) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' [Added]
T5857: Enable logging for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3556: Lack of Logging for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- I3153: (L1 - DC) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' [Added]
- I3154: (L1 - DC) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' [Added]
- I3155: (L1 - DC) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' [Added]
- I3156: (L1 - DC) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' [Added]
- I3157: (L1 - DC) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I3158: (L1 - DC) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' [Added]
- I3159: (L1 - DC) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' [Added]
T5858: Implement logging for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3557: Lack of Logging for Network Traffic (Azure Windows Domain Controller) [Added]
- I3160: (L1 - DC) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' [Added]
- I3161: (L1 - DC) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' [Added]
- I3162: (L1 - DC) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' [Added]
- I3163: (L1 - DC) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' [Added]
- I3164: (L1 - DC) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' [Added]
- I3165: (L1 - DC) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' [Added]
- I3166: (L1 - DC) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' [Added]
T5859: Strengthen security posture through comprehensive Windows audit policies (Azure Windows Domain Controller) [Added]
- P3558: Lack of visibility into unauthorized or suspicious user and system activities(Azure Windows Domain Controller) [Added]
- I3167: (L1 - DC) Ensure 'Audit Credential Validation' is set to 'Success and Failure' [Added]
- I3168: (L1 - DC) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) [Added]
- I3169: (L1 - DC) Ensure 'Audit Computer Account Management' is set to include 'Success and Failure' (DC only) [Added]
- I3170: (L1 - DC) Ensure 'Audit Distribution Group Management' is set to include 'Success and Failure' (DC only) [Added]
- I3171: (L1 - DC) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only) [Added]
- I3172: (L1 - DC) Ensure 'Audit Security Group Management' is set to include 'Success' [Added]
- I3173: (L1 - DC) Ensure 'Audit User Account Management' is set to 'Success and Failure' [Added]
- I3174: (L1 - DC) Ensure 'Audit PNP Activity' is set to include 'Success' [Added]
- I3175: (L1 - DC) Ensure 'Audit Process Creation' is set to include 'Success' [Added]
- I3176: (L1 - DC) Ensure 'Audit Account Lockout' is set to include 'Success and Failure' [Added]
- I3177: (L1 - DC) Ensure 'Audit Group Membership' is set to include 'Success' [Added]
- I3178: (L1 - DC) Ensure 'Audit Logoff' is set to include 'Success' [Added]
- I3179: (L1 - DC) Ensure 'Audit Logon' is set to 'Success and Failure' [Added]
- I3180: (L1 - DC) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' [Added]
- I3181: (L1 - DC) Ensure 'Audit Special Logon' is set to include 'Success' [Added]
- I3182: (L1 - DC) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' [Added]
- I3183: (L1 - DC) Ensure 'Audit Removable Storage' is set to 'Success and Failure' [Added]
- I3184: (L1 - DC) Ensure 'Audit Audit Policy Change' is set to include 'Success' [Added]
- I3185: (L1 - DC) Ensure 'Audit Authentication Policy Change' is set to include 'Success' [Added]
- I3186: (L1 - DC) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' [Added]
- I3187: (L1 - DC) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' [Added]
- I3188: (L1 - DC) Ensure 'Audit Security State Change' is set to include 'Success' [Added]
- I3189: (L1 - DC) Ensure 'Audit Security System Extension' is set to include 'Success' [Added]
- I3190: (L1 - DC) Ensure 'Audit System Integrity' is set to 'Success and Failure' [Added]
T5860: Disable automatic learning to protect user privacy (Azure Windows Domain Controller) [Added]
- P3559: Automatic Learning Enabled (Azure Windows Domain Controller) [Added]
- I3191: (L1 - DC) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' [Added]
T5861: Enhance security posture by disabling SMBv1 and WDigest authentication (Azure Windows Domain Controller) [Added]
- P3560: Outdated Protocol and Credential Theft Vulnerabilities (Azure Windows Domain Controller) [Added]
- I3192: (L1 - DC) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' [Added]
- I3193: (L1 - DC) Ensure 'Configure SMB v1 server' is set to 'Disabled' [Added]
- I3194: (L1 - DC) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' [Added]
- I3195: (L1 - DC) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' [Added]
- I3196: (L1 - DC) Ensure 'WDigest Authentication' is set to 'Disabled' [Added]
T5862: Enhance network security by disabling IP source routing and ICMP redirects (Azure Windows Domain Controller) [Added]
- P3561: IP Source Routing and ICMP Redirects Enabled (Azure Windows Domain Controller) [Added]
- I3197: (L1 - DC) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to ..... [Added]
- I3198: (L1 - DC) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to ..... [Added]
- I3199: (L1 - DC) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' [Added]
- I3200: (L1 - DC) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' ..... [Added]
T5863: Implement secure access to UNC paths (Azure Windows Domain Controller) [Added]
- P3562: Insecure Access to UNC Paths (Azure Windows Domain Controller) [Added]
- I3201: (L1 - DC) Ensure 'Turn off multicast name resolution' is set to 'Enabled' [Added]
- I3202: (L1 - DC) Ensure 'Enable insecure guest logons' is set to 'Disabled' [Added]
- I3203: (L1 - DC) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' [Added]
- I3204: (L1 - DC) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' [Added]
- I3205: (L1 - DC) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for ..... [Added]
- I3206: (L1 - DC) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to ..... [Added]
T5864: Enhance security posture with Virtualization Based Security (Azure Windows Domain Controller) [Added]
- P3563: Lack of Virtualization Based Security (Azure Windows Domain Controller) [Added]
- I3207: (L1 - DC) Ensure 'Include command line in process creation events' is set to 'Enabled' [Added]
- I3208: (L1 - DC) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' [Added]
- I3209: (L1 - DC) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' [Added]
- I3210: (NG - DC) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' [Added]
- I3211: (NG - DC) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' [Added]
- I3212: (NG - DC) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to ..... [Added]
- I3213: (NG - DC) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' [Added]
- I3214: (NG - DC) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only) [Added]
- I3215: (NG - DC) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' [Added]
- I3216: (L1 - DC) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' [Added]
- I3217: (L1 - DC) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' [Added]
- I3218: (L1 - DC) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' [Added]
- I3219: (L1 - DC) Ensure 'Continue experiences on this device' is set to 'Disabled' [Added]
- I3220: (L1 - DC) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' [Added]
- I3221: (L1 - DC) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' [Added]
- I3222: (L1 - DC) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' [Added]
- I3223: (L1 - DC) Ensure 'Do not display network selection UI' is set to 'Enabled' [Added]
- I3224: (L1 - DC) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' [Added]
- I3225: (L1 - DC) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' [Added]
- I3226: (L1 - DC) Ensure 'Configure validation of ROCA-vulnerable WHfB keys during authentication' is set to 'Enabled: Audit' or higher (DC only) [Added]
T5865: Implement Attack Surface Reduction Rules (Azure Windows Domain Controller) [Added]
- P3564: Lack of Attack Surface Reduction Rules (Azure Windows Domain Controller) [Added]
- I3227: (L1 - DC) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' [Added]
- I3228: (L1 - DC) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' [Added]
- I3229: (L1 - DC) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' [Added]
- I3230: (L1 - DC) Ensure 'Do not display the password reveal button' is set to 'Enabled' [Added]
- I3231: (L1 - DC) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' [Added]
- I3232: (L1 - DC) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Send required diagnostic data' [Added]
- I3233: (L1 - DC) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I3234: (L1 - DC) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I3235: (L1 - DC) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I3236: (L1 - DC) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' [Added]
- I3237: (L1 - DC) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I3238: (L1 - DC) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I3239: (L1 - DC) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' [Added]
- I3240: (L1 - DC) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' [Added]
- I3241: (L1 - DC) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' [Added]
- I3242: (L1 - DC) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' [Added]
- I3243: (L1 - DC) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' [Added]
- I3244: (L1 - DC) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' [Added]
- I3245: (L1 - DC) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' [Added]
- I3246: (L1 - DC) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' [Added]
- I3247: (L1 - DC) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' [Added]
- I3248: (L1 - DC) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' [Added]
- I3249: (L1 - DC) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured [Added]
- I3250: (L1 - DC) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' [Added]
- I3251: (L1 - DC) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' [Added]
- I3252: (L1 - DC) Ensure 'Turn off real-time protection' is set to 'Disabled' [Added]
- I3253: (L1 - DC) Ensure 'Turn on behavior monitoring' is set to 'Enabled' [Added]
- I3254: (L1 - DC) Ensure 'Turn on script scanning' is set to 'Enabled' [Added]
- I3255: (L1 - DC) Ensure 'Turn on e-mail scanning' is set to 'Enabled' [Added]
- I3256: (L1 - DC) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' [Added]
- I3257: (L1 - DC) Ensure 'Do not allow drive redirection' is set to 'Enabled' [Added]
- I3258: (L1 - DC) Ensure 'Always prompt for password upon connection' is set to 'Enabled' [Added]
- I3259: (L1 - DC) Ensure 'Require secure RPC communication' is set to 'Enabled' [Added]
- I3260: (L1 - DC) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' [Added]
- I3261: (L1 - DC) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' [Added]
- I3262: (L1 - DC) Ensure 'Do not use temporary folders per session' is set to 'Disabled' [Added]
- I3263: (L1 - DC) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' [Added]
- I3264: (L1 - DC) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' [Added]
- I3265: (L1 - DC) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' [Added]
- I3266: (L1 - DC) Ensure 'Allow user control over installs' is set to 'Disabled' [Added]
- I3267: (L1 - DC) Ensure 'Always install with elevated privileges' is set to 'Disabled' [Added]
- I3268: (L1 - DC) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' [Added]
- I3269: (L1 - DC) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' [Added]
- I3270: (L1 - DC) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' [Added]
- I3271: (L1 - DC) Ensure 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3272: (L1 - DC) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3273: (L1 - DC) Ensure 'Disallow Digest authentication' is set to 'Enabled' [Added]
- I3274: (L1 - DC) Ensure 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3275: (L1 - DC) Ensure 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3276: (L1 - DC) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' [Added]
- I3277: (L1 - DC) Ensure 'Prevent users from modifying settings' is set to 'Enabled' [Added]
T5866: Verify password policy settings for user accounts (Azure Windows Domain Controller) [Added]
- P3539: Weak Password Policies (Azure Windows Domain Controller) [Added]
- I3278: (L1 - DC) Verify that 'Enforce password history' is set to '24 or more password(s)' [Added]
- I3279: (L1 - DC) Verify that 'Maximum password age' is set to '365 or fewer days, but not 0' [Added]
- I3280: (L1 - DC) Verify that 'Minimum password length' is set to '14 or more character(s)' [Added]
- I3281: (L1 - DC) Verify that the minimum password length is set to 14 or more characters [Added]
- I3282: (L1 - DC) Verify that 'Password must meet complexity requirements' is set to 'Enabled' [Added]
- I3283: (L1 - DC) Verify that 'Store passwords using reversible encryption' is set to 'Disabled' [Added]
T5867: Verify that user rights are assigned correctly (Azure Windows Domain Controller) [Added]
- P3540: Excessive User Privileges (Azure Windows Domain Controller) [Added]
- I3284: (L1 - DC) Verify that 'Access Credential Manager as a trusted caller' is set to 'No One' [Added]
- I3285: (L1 - DC) Verify that 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' [Added]
- I3286: (L1 - DC) Verify that 'Act as part of the operating system' is set to 'No One' [Added]
- I3287: (L1 - DC) Verify that 'Add workstations to domain' is set to 'Administrators' (DC only) [Added]
- I3288: (L1 - DC) Verify that 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3289: (L1 - DC) Verify that 'Allow log on locally' is set to 'Administrators' [Added]
- I3290: (L1 - DC) Verify that 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only) [Added]
- I3291: (L1 - DC) Verify that 'Back up files and directories' is set to 'Administrators, Backup Operators' [Added]
- I3292: (L1 - DC) Verify that 'Change the system time' is set to 'Administrators, LOCAL SERVICE' [Added]
- I3293: (L1 - DC) Verify that 'Change the time zone' is set to 'Administrators, LOCAL SERVICE' [Added]
- I3294: (L1 - DC) Verify that 'Create a pagefile' is set to 'Administrators' [Added]
- I3295: (L1 - DC) Verify that 'Create a token object' is set to 'No One' [Added]
- I3296: (L1 - DC) Verify that 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I3297: (L1 - DC) Verify that 'Create permanent shared objects' is set to 'No One' [Added]
- I3298: (L1 - DC) Verify that 'Create symbolic links' is set to 'Administrators' (DC only) [Added]
- I3299: (L1 - DC) Verify that 'Debug programs' is set to 'Administrators' [Added]
- I3300: (L1 - DC) Verify that 'Deny access to this computer from the network' includes 'Guests' [Added]
- I3301: (L1 - DC) Verify that 'Deny log on as a batch job' includes 'Guests' [Added]
- I3302: (L1 - DC) Verify that 'Deny log on as a service' includes 'Guests' [Added]
- I3303: (L1 - DC) Verify that 'Deny log on locally' includes 'Guests' [Added]
- I3304: (L1 - DC) Verify that 'Deny log on through Remote Desktop Services' includes 'Guests' [Added]
- I3305: (L1 - DC) Verify that 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only) [Added]
- I3306: (L1 - DC) Verify that 'Force shutdown from a remote system' is set to 'Administrators' [Added]
- I3307: (L1 - DC) Verify that 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3308: (L1 - DC) Test that 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' [Added]
- I3309: (L1 - DC) Verify that 'Increase scheduling priority' is set to 'Administrators' [Added]
- I3310: (L1 - DC) Verify that 'Load and unload device drivers' is set to 'Administrators' [Added]
- I3311: (L1 - DC) Verify that 'Lock pages in memory' is set to 'No One' [Added]
- I3312: (L1 - DC) Verify that the auditing and security log management is configured correctly [Added]
- I3313: (L1 - DC) Verify that 'Modify an object label' is set to 'No One' [Added]
- I3314: (L1 - DC) Verify that 'Modify firmware environment values' is set to 'Administrators' [Added]
- I3315: (L1 - DC) Verify that 'Perform volume maintenance tasks' is set to 'Administrators' [Added]
- I3316: (L1 - DC) Verify that 'Profile single process' is set to 'Administrators' [Added]
- I3317: (L1 - DC) Verify that 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' [Added]
- I3318: (L1 - DC) Verify that 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' [Added]
- I3319: (L1 - DC) Verify that 'Restore files and directories' is set to 'Administrators, Backup Operators' [Added]
- I3320: (L1 - DC) Verify that 'Shut down the system' is set to 'Administrators, Backup Operators' [Added]
- I3321: (L1 - DC) Verify that 'Synchronize directory service data' is set to 'No One' (DC only) [Added]
- I3322: (L1 - DC) Verify that 'Take ownership of files or other objects' is set to 'Administrators' [Added]
T5868: Verify that users can't add or log on with Microsoft accounts (Azure Windows Domain Controller) [Added]
- P3541: Unauthorized Microsoft Account Creation (Azure Windows Domain Controller) [Added]
- I3323: (L1 - DC) Verify that 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' [Added]
- I3324: (L1 - DC) Verify that local account use of blank passwords is limited to console logon only [Added]
- I3325: (L1 - DC) Test that the administrator account is renamed(L1 - DC) [Added]
- I3326: (L1 - DC) Test the configuration of 'Accounts: Rename guest account' [Added]
T5869: Verify the audit policy settings for Windows Vista or later (Azure Windows Domain Controller) [Added]
- P3542: Inadequate Security Monitoring Due to Insufficient Auditing Capabilities (Azure Windows Domain Controller) [Added]
- I3327: (L1 - DC) Verify that the audit policy subcategory settings are enabled [Added]
- I3328: (L1 - DC) Verify that 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' [Added]
T5870: Verify the policy setting for removable NTFS media and printer driver installation (Azure Windows Domain Controller) [Added]
- P3543: Unauthorized Access to Removable NTFS Media (Azure Windows Domain Controller) [Added]
- I3329: (L1 - DC) Verify that 'Devices: Allowed to format and eject removable media' is set to 'Administrators' [Added]
- I3330: (L1 - DC) Verify that 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' [Added]
T5871: Verify that the LDAP server requires signing (Azure Windows Domain Controller) [Added]
- P3544: Unsigned LDAP Communications (Azure Windows Domain Controller) [Added]
- I3331: (L1 - DC) Verify that 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' [Added]
- I3332: (L1 - DC) Verify that 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' [Added]
- I3333: (L1 - DC) Verify that 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only' [Added]
- I3334: (L1 - DC) Verify that the Domain controller's LDAP server signing requirements are set to Require signing [Added]
- I3335: (L1 - DC) Verify that 'Domain controller: Refuse machine account password changes' is set to 'Disabled' [Added]
T5872: Verify that secure channel traffic is encrypted and signed (Azure Windows Domain Controller) [Added]
- P3545: Lack of Encryption and Signing in Secure Channel Traffic (Azure Windows Domain Controller) [Added]
- I3336: (L1 - DC) Verify that 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' [Added]
- I3337: (L1 - DC) Verify that 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' [Added]
- I3338: (L1 - DC) Verify that 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' [Added]
- I3339: (L1 - DC) Verify that 'Domain member: Disable machine account password changes' is set to 'Disabled' [Added]
- I3340: (L1 - DC) Verify that 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' [Added]
T5873: Verify the inactivity limit for logon sessions (Azure Windows Domain Controller) [Added]
- P3546: Lack of Inactivity Lock Screen Policy (Azure Windows Domain Controller) [Added]
- I3341: (L1 - DC) Verify that 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' [Added]
- I3342: (L1 - DC) Test the interactive logon message configuration [Added]
- I3343: (L1 - DC) Test the interactive logon message title configuration [Added]
- I3344: (L1 - DC) Verify that the interactive logon prompts users to change passwords before expiration [Added]
T5874: Verify that SMB packet signing is enabled (Azure Windows Domain Controller) [Added]
- P3547: Lack of SMB Packet Signing and Use of Plaintext Passwords (Azure Windows Domain Controller) [Added]
- I3345: (L1 - DC) Verify that Microsoft network client: Digitally sign communications (always) is set to Enabled [Added]
- I3346: (L1 - DC) Verify that Microsoft network client: Digitally sign communications (if server agrees) is set to Enabled [Added]
- I3347: (L1 - DC) Verify that the Microsoft network client: Send unencrypted password to third-party SMB servers is set to Disabled [Added]
T5875: Verify the SMB session inactivity policy settings (Azure Windows Domain Controller) [Added]
- P3548: Improper Session Management and Lack of Packet Signing (Azure Windows Domain Controller) [Added]
- I3348: (L1 - DC) Verify that Microsoft network server session timeout is set to 15 minutes or fewer [Added]
- I3349: (L1 - DC) Verify that Microsoft network server: Digitally sign communications (always) is set to Enabled [Added]
- I3350: (L1 - DC) Verify that Microsoft network server: Digitally sign communications (if client agrees) is set to Enabled [Added]
- I3351: (L1 - DC) Verify that 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' [Added]
T5876: Verify the security settings for anonymous user access (Azure Windows Domain Controller) [Added]
- P3549: Anonymous Access to Network Resources (Azure Windows Domain Controller) [Added]
- I3352: (L1 - DC) Verify that 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' [Added]
- I3353: (L1 - DC) Verify that 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' [Added]
- I3354: (L1 - DC) Test that the network access for named pipes is configured correctly [Added]
- I3355: (L1 - DC) Verify that 'Network access: Remotely accessible registry paths' is configured [Added]
- I3356: (L1 - DC) Verify that 'Network access: Remotely accessible registry paths and sub-paths' is configured [Added]
- I3357: (L1 - DC) Verify that 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' [Added]
- I3358: (L1 - DC) Verify that 'Network access: Shares that can be accessed anonymously' is set to 'None' [Added]
- I3359: (L1 - DC) Verify that the network access sharing and security model for local accounts is set to classic [Added]
T5877: Verify the recommended state for NTLM authentication settings (Azure Windows Domain Controller) [Added]
- P3550: Weak NTLM Authentication Protocols (Azure Windows Domain Controller) [Added]
- I3360: (L1 - DC) Verify that 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' [Added]
- I3361: (L1 - DC) Verify that 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' [Added]
- I3362: (L1 - DC) Verify that 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' [Added]
- I3363: (L1 - DC) Verify that the network security configuration allows specific encryption types for Kerberos [Added]
- I3364: (L1 - DC) Verify that 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' [Added]
- I3365: (L1 - DC) Verify that the LAN Manager authentication level is set correctly [Added]
- I3366: (L1 - DC) Verify that the network security settings are configured correctly [Added]
- I3367: (L1 - DC) Verify that the network security settings require NTLMv2 session security [Added]
- I3368: (L1 - DC) Verify that the network security settings require NTLMv2 session security [Added]
T5878: Verify that the shutdown command is restricted for non-logged on users (Azure Windows Domain Controller) [Added]
- P3551: Unauthorized System Shutdown (Azure Windows Domain Controller) [Added]
- I3369: (L1 - DC) Verify that the system shutdown setting is disabled [Added]
T5879: Verify the case sensitivity policy setting for subsystems (Azure Windows Domain Controller) [Added]
- P3552: Case Insensitivity in File Systems (Azure Windows Domain Controller) [Added]
- I3370: (L1 - DC) Verify that 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' [Added]
- I3371: (L1 - DC) Verify that the default permissions of internal system objects are strengthened [Added]
T5880: Verify the behavior of Admin Approval Mode for the built-in Administrator account (Azure Windows Domain Controller) [Added]
- P3553: Insufficient User Privilege Management (Azure Windows Domain Controller) [Added]
- I3372: (L1 - DC) Verify that User Account Control is set to Enabled [Added]
- I3373: (L1 - DC) Verify that User Account Control settings are configured correctly [Added]
- I3374: (L1 - DC) Verify that User Account Control settings are configured correctly [Added]
- I3375: (L1 - DC) Verify that 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' [Added]
- I3376: (L1 - DC) Verify that User Account Control settings are properly configured [Added]
- I3377: (L1 - DC) Verify that 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' [Added]
- I3378: (L1 - DC) Verify that User Account Control is set to Enabled [Added]
- I3379: (L1 - DC) Verify that User Account Control virtualization settings are enabled [Added]
T5881: Test that the print job handling service is disabled (Azure Windows Domain Controller) [Added]
- P3554: Unauthorized Access to Print Jobs (Azure Windows Domain Controller) [Added]
- I3380: (L1 - DC) Verify that the Print Spooler (Spooler) is set to Disabled [Added]
T5882: Verify the settings for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3555: Lack of Network Traffic Visibility (Azure Windows Domain Controller) [Added]
- I3381: (L1 - DC) Verify that Windows Firewall is set to On (recommended) [Added]
- I3382: (L1 - DC) Verify that Windows Firewall: Domain: Inbound connections is set to Block (default) [Added]
- I3383: (L1 - DC) Verify that Windows Firewall: Domain: Outbound connections is set to Allow (default) [Added]
- I3384: (L1 - DC) Verify that Windows Firewall logging is configured correctly [Added]
- I3385: (L1 - DC) Verify that Windows Firewall's logging size limit is configured correctly [Added]
- I3386: (L1 - DC) Verify that Windows Firewall is logging dropped packets [Added]
- I3387: (L1 - DC) Verify that Windows Firewall logs successful connections [Added]
T5883: Verify the Windows Firewall settings for network traffic filtering (Azure Windows Domain Controller) [Added]
- P3556: Lack of Logging for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- I3388: (L1 - DC) Verify that Windows Firewall: Private: Firewall state is set to On (recommended) [Added]
- I3389: (L1 - DC) Verify that Windows Firewall: Private: Inbound connections is set to Block (default) [Added]
- I3390: (L1 - DC) Verify that Windows Firewall: Private: Outbound connections is set to Allow (default) [Added]
- I3391: (L1 - DC) Verify that Windows Firewall logging is configured correctly [Added]
- I3392: (L1 - DC) Verify that Windows Firewall's logging size limit is set correctly [Added]
- I3393: (L1 - DC) Verify that Windows Firewall is logging dropped packets [Added]
- I3394: (L1 - DC) Verify that Windows Firewall is logging successful connections [Added]
T5884: Verify the implementation of settings for Windows Firewall with Advanced Security (Azure Windows Domain Controller) [Added]
- P3557: Lack of Logging for Network Traffic (Azure Windows Domain Controller) [Added]
- I3395: (L1 - DC) Verify that Windows Firewall: Public: Firewall state is set to On (recommended) [Added]
- I3396: (L1 - DC) Verify that 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' [Added]
- I3397: (L1 - DC) Verify that 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' [Added]
- I3398: (L1 - DC) Verify that Windows Firewall logging is configured correctly [Added]
- I3399: (L1 - DC) Verify that Windows Firewall's logging size limit is set correctly [Added]
- I3400: (L1 - DC) Verify that Windows Firewall is logging dropped packets [Added]
- I3401: (L1 - DC) Verify that Windows Firewall's logging for successful connections is enabled [Added]
T5885: Verify audit logging effectiveness for Windows domain controller security (Azure Windows Domain Controller) [Added]
- P3558: Lack of visibility into unauthorized or suspicious user and system activities(Azure Windows Domain Controller) [Added]
- I3402: (L1 - DC) Verify that 'Audit Credential Validation' is set to 'Success and Failure' [Added]
- I3403: (L1 - DC) Verify that 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) [Added]
- I3404: (L1 - DC) Verify that 'Audit Computer Account Management' is set to include 'Success and Failure' (DC only) [Added]
- I3405: (L1 - DC) Verify that 'Audit Distribution Group Management' includes 'Success and Failure' [Added]
- I3406: (L1 - DC) Verify that 'Audit Other Account Management Events' includes 'Success' (DC only) [Added]
- I3407: (L1 - DC) Verify that 'Audit Security Group Management' includes 'Success' [Added]
- I3408: (L1 - DC) Test that 'Audit User Account Management' is set to 'Success and Failure' [Added]
- I3409: (L1 - DC) Verify that 'Audit PNP Activity' is set to include 'Success' [Added]
- I3410: (L1 - DC) Verify that 'Audit Process Creation' is set to include 'Success' [Added]
- I3411: (L1 - DC) Verify that 'Audit Account Lockout' includes 'Success and Failure' [Added]
- I3412: (L1 - DC) Verify that 'Audit Group Membership' is set to include 'Success' [Added]
- I3413: (L1 - DC) Verify that 'Audit Logoff' is set to include 'Success' [Added]
- I3414: (L1 - DC) Verify that 'Audit Logon' is set to 'Success and Failure' [Added]
- I3415: (L1 - DC) Verify that 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' [Added]
- I3416: (L1 - DC) Verify that 'Audit Special Logon' is set to include 'Success' [Added]
- I3417: (L1 - DC) Verify that 'Audit Other Object Access Events' is set to 'Success and Failure' [Added]
- I3418: (L1 - DC) Verify that 'Audit Removable Storage' is set to 'Success and Failure' [Added]
- I3419: (L1 - DC) Verify that 'Audit Audit Policy Change' is set to include 'Success' [Added]
- I3420: (L1 - DC) Verify that 'Audit Authentication Policy Change' is set to include 'Success' [Added]
- I3421: (L1 - DC) Verify that 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' [Added]
- I3422: (L1 - DC) Verify that 'Audit Sensitive Privilege Use' is set to 'Success and Failure' [Added]
- I3423: (L1 - DC) Verify that 'Audit Security State Change' is set to include 'Success' [Added]
- I3424: (L1 - DC) Verify that the Audit Security System Extension includes Success [Added]
- I3425: (L1 - DC) Verify that 'Audit System Integrity' is set to 'Success and Failure' [Added]
T5886: Verify that the automatic learning component is disabled (Azure Windows Domain Controller) [Added]
- P3559: Automatic Learning Enabled (Azure Windows Domain Controller) [Added]
- I3426: (L1 - DC) Verify that 'Allow users to enable online speech recognition services' is set to 'Disabled' [Added]
T5887: Verify the configuration of SMBv1 client driver service (Azure Windows Domain Controller) [Added]
- P3560: Outdated Protocol and Credential Theft Vulnerabilities (Azure Windows Domain Controller) [Added]
- I3427: (L1 - DC) Verify that 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' [Added]
- I3428: (L1 - DC) Verify that 'Configure SMB v1 server' is set to 'Disabled' [Added]
- I3429: (L1 - DC) Verify that 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' [Added]
- I3430: (L1 - DC) Verify that 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' [Added]
- I3431: (L1 - DC) Verify that WDigest Authentication is set to Disabled [Added]
T5888: Verify the configuration of IP source routing settings (Azure Windows Domain Controller) [Added]
- P3561: IP Source Routing and ICMP Redirects Enabled (Azure Windows Domain Controller) [Added]
- I3432: (L1 - DC) Verify that the IP source routing protection level is set to 'Enabled: Highest protection' [Added]
- I3433: (L1 - DC) Verify that MSS: (DisableIPSourceRouting) IP source routing protection level is set to Enabled: Highest protection [Added]
- I3434: (L1 - DC) Verify that 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' [Added]
- I3435: (L1 - DC) Verify that the computer ignores NetBIOS name release requests [Added]
T5889: Verify the SMB client settings for secure access (Azure Windows Domain Controller) [Added]
- P3562: Insecure Access to UNC Paths (Azure Windows Domain Controller) [Added]
- I3436: (L1 - DC) Verify that 'Turn off multicast name resolution' is set to 'Enabled' [Added]
- I3437: (L1 - DC) Verify that 'Enable insecure guest logons' is set to 'Disabled' [Added]
- I3438: (L1 - DC) Verify that the installation and configuration of Network Bridge on your DNS domain network is prohibited [Added]
- I3439: (L1 - DC) Verify that 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' [Added]
- I3440: (L1 - DC) Verify that 'Hardened UNC Paths' is set to 'Enabled' [Added]
- I3441: (L1 - DC) Test that 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to ..... [Added]
T5890: Verify the security audit events logging for process creation (Azure Windows Domain Controller) [Added]
- P3563: Lack of Virtualization Based Security (Azure Windows Domain Controller) [Added]
- I3442: (L1 - DC) Verify that 'Include command line in process creation events' is set to 'Enabled' [Added]
- I3443: (L1 - DC) Verify that 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' [Added]
- I3444: (L1 - DC) Verify that the remote host allows delegation of non-exportable credentials [Added]
- I3445: (L1 - DC) Verify that 'Turn On Virtualization Based Security' is set to 'Enabled' [Added]
- I3446: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' [Added]
- I3447: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to .... [Added]
- I3448: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' [Added]
- I3449: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only) [Added]
- I3450: (L1 - DC) Verify that 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' [Added]
- I3451: (L1 - DC) Verify that the 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' [Added]
- I3452: (L1 - DC) Verify that the registry policy processing is configured correctly [Added]
- I3453: (L1 - DC) Verify that the registry policy processing is configured correctly [Added]
- I3454: (L1 - DC) Verify that 'Continue experiences on this device' is set to 'Disabled' [Added]
- I3455: (L1 - DC) Verify that 'Turn off background refresh of Group Policy' is set to 'Disabled' [Added]
- I3456: (L1 - DC) Verify that 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' [Added]
- I3457: (L1 - DC) Verify that 'Block user from showing account details on sign-in' is set to 'Enabled' [Added]
- I3458: (L1 - DC) Verify that 'Do not display network selection UI' is set to 'Enabled' [Added]
- I3459: (L1 - DC) Verify that 'Configure Offer Remote Assistance' is set to 'Disabled' [Added]
- I3460: (L1 - DC) Verify that 'Configure Solicited Remote Assistance' is set to 'Disabled' [Added]
- I3461: (L1 - DC) Test that the validation of ROCA-vulnerable WHfB keys during authentication is configured [Added]
T5891: Verify that Microsoft accounts are required for Windows Store apps (Azure Windows Domain Controller) [Added]
- P3564: Lack of Attack Surface Reduction Rules (Azure Windows Domain Controller) [Added]
- I3462: (L1 - DC) Verify that 'Allow Microsoft accounts to be optional' is set to 'Enabled' [Added]
- I3463: (L1 - DC) Verify that 'Turn off cloud consumer account state content' is set to 'Enabled' [Added]
- I3464: (L1 - DC) Verify that 'Turn off Microsoft consumer experiences' is set to 'Enabled' [Added]
- I3465: (L1 - DC) Verify that 'Do not display the password reveal button' is set to 'Enabled' [Added]
- I3466: (L1 - DC) Verify that 'Enumerate administrator accounts on elevation' is set to 'Disabled' [Added]
- I3467: (L1 - DC) Verify that 'Allow Diagnostic Data' is set to 'Enabled: Send required diagnostic data' [Added]
- I3468: (L1 - DC) Verify Application Control Event Log behavior when the log file reaches its maximum size [Added]
- I3469: (L1 - DC) Verify that the maximum log file size is set to 32,768 or greater [Added]
- I3470: (L1 - DC) Verify Security Control Event Log behavior when the log file reaches its maximum size [Added]
- I3471: (L1 - DC) Verify that the maximum log file size is set to Enabled: 196,608 or greater [Added]
- I3472: (L1 - DC) Verify that the Control Event Log behavior is set to Disabled [Added]
- I3473: (L1 - DC) Verify that the maximum log file size is set to 32,768 KB or greater [Added]
- I3474: (L1 - DC) Verify System Control Event Log behavior when the log file reaches its maximum size [Added]
- I3475: (L1 - DC) Verify that the maximum log file size is set to 32,768 or greater [Added]
- I3476: (L1 - DC) Verify that 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' [Added]
- I3477: (L1 - DC) Verify that 'Turn off heap termination on corruption' is set to 'Disabled' [Added]
- I3478: (L1 - DC) Verify that 'Turn off shell protocol protected mode' is set to 'Disabled' [Added]
- I3479: (L1 - DC) Verify that 'Block all consumer Microsoft account user authentication' is set to 'Enabled' [Added]
- I3480: (L1 - DC) Verify that 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' [Added]
- I3481: (L1 - DC) Verify that 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' [Added]
- I3482: (L1 - DC) Verify that 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' [Added]
- I3483: (L1 - DC) Verify that 'Configure Attack Surface Reduction rules' is set to 'Enabled' [Added]
- I3484: (L1 - DC) Verify that the Attack Surface Reduction rules are configured [Added]
- I3485: (L1 - DC) Verify that 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' [Added]
- I3486: (L1 - DC) Verify that 'Scan all downloaded files and attachments' is set to 'Enabled' [Added]
- I3487: (L1 - DC) Verify that 'Turn off real-time protection' is set to 'Disabled' [Added]
- I3488: (L1 - DC) Verify that 'Turn on behavior monitoring' is set to 'Enabled' [Added]
- I3489: (L1 - DC) Verify that 'Turn on script scanning' is set to 'Enabled' [Added]
- I3490: (L1 - DC) Verify that 'Turn on e-mail scanning' is set to 'Enabled' [Added]
- I3491: (L1 - DC) Verify that 'Do not allow passwords to be saved' is set to 'Enabled' [Added]
- I3492: (L1 - DC) Verify that 'Do not allow drive redirection' is set to 'Enabled' [Added]
- I3493: (L1 - DC) Verify that 'Always prompt for password upon connection' is set to 'Enabled' [Added]
- I3494: (L1 - DC) Verify that 'Require secure RPC communication' is set to 'Enabled' [Added]
- I3495: (L1 - DC) Verify that 'Set client connection encryption level' is set to 'Enabled: High Level' [Added]
- I3496: (L1 - DC) Verify that 'Do not delete temp folders upon exit' is set to 'Disabled' [Added]
- I3497: (L1 - DC) Verify that 'Do not use temporary folders per session' is set to 'Disabled' [Added]
- I3498: (L1 - DC) Verify that 'Prevent downloading of enclosures' is set to 'Enabled' [Added]
- I3499: (L1 - DC) Verify that 'Allow indexing of encrypted files' is set to 'Disabled' [Added]
- I3500: (L1 - DC) Verify that Windows Defender SmartScreen is configured to warn and prevent bypass [Added]
- I3501: (L1 - DC) Verify that 'Allow user control over installs' is set to 'Disabled' [Added]
- I3502: (L1 - DC) Verify that 'Always install with elevated privileges' is set to 'Disabled' [Added]
- I3503: (L1 - DC) Verify that 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' [Added]
- I3504: (L1 - DC) Verify that 'Turn on PowerShell Script Block Logging' is set to 'Enabled' [Added]
- I3505: (L1 - DC) Verify that 'Turn on PowerShell Transcription' is set to 'Disabled' [Added]
- I3506: (L1 - DC) Verify that 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3507: (L1 - DC) Verify that 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3508: (L1 - DC) Verify that 'Disallow Digest authentication' is set to 'Enabled' [Added]
- I3509: (L1 - DC) Verify that 'Allow Basic authentication' is set to 'Disabled' [Added]
- I3510: (L1 - DC) Verify that 'Allow unencrypted traffic' is set to 'Disabled' [Added]
- I3511: (L1 - DC) Verify that 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' [Added]
- I3512: (L1 - DC) Verify that 'Prevent users from modifying settings' is set to 'Enabled' [Added]
T5892: Verify that the scheduler service is not bound to non-loopback insecure addresses (Kubernetes Master Node) [Added]
- I3571: Ensure that the --bind-address argument is set to 127.0.0.1 [Added]
T5893: Verify the security of Kubernetes authentication mechanisms (Kubernetes Master Node) [Added]
- P3565: Unrestricted Pod Creation (Kubernetes Master Node) [Added]
- I3685: Verify that client certificate authentication is not used for users [Added]
- I3686: Verify that service account token authentication is not used for users [Added]
- I3687: Verify that Bootstrap token authentication is not used for users [Added]
- I3690: Verify that the cluster-admin role is only used where required [Added]
- I3691: Test that access to secrets is minimized [Added]
- I3692: Verify that wildcard use is minimized in Roles and ClusterRoles [Added]
- I3693: Test that access to create pods is minimized [Added]
- I3696: Verify that the system:masters group is not used [Added]
- I3697: Verify the limited use of Bind, Impersonate and Escalate permissions in the Kubernetes cluster [Added]
- I3698: Test that access to create persistent volumes is minimized [Added]
- I3699: Test that access to the proxy sub-resource of nodes is minimized [Added]
- I3700: Test that access to the approval sub-resource of certificatesigningrequests objects is minimized [Added]
- I3701: Test that access to webhook configuration objects is minimized [Added]
T5894: Verify that Kubernetes clusters enforce policy controls (Kubernetes Master Node) [Added]
- P3566: Lack of Policy Control Mechanism (Kubernetes Master Node) [Added]
- I3703: Verify that the cluster has at least one active policy control mechanism in place [Added]
- I3704: Test that the admission of privileged containers is minimized [Added]
- I3705: Test minimizing the admission of containers wishing to share the host process ID namespace [Added]
- I3706: Test minimizing the admission of containers wishing to share the host IPC namespace [Added]
- I3707: Test minimizing the admission of containers wishing to share the host network namespace [Added]
- I3708: Test that the admission of containers minimizes allowPrivilegeEscalation [Added]
- I3709: Test that the admission of root containers is minimized [Added]
- I3710: Test that the admission of containers with the NET_RAW capability is minimized [Added]
- I3711: Test the admission of containers with added capabilities [Added]
- I3712: Test that the admission of containers with capabilities assigned is minimized [Added]
- I3713: Test minimize the admission of Windows HostProcess Containers [Added]
- I3714: Test minimizing the admission of HostPath volumes [Added]
- I3715: Test that the admission of containers which use HostPorts is minimized [Added]
- I3721: Test administrative boundaries between resources using namespaces [Added]
- I3722: Verify that the seccomp profile is set to docker/default in your pod definitions [Added]
- I3724: Verify that the default namespace is not used [Added]
T5895: Test network policies to isolate traffic in your cluster network (Kubernetes Master Node) [Added]
- P3567: Lack of Network Traffic Control (Kubernetes Master Node) [Added]
- I3716: Verify that the CNI in use supports Network Policies [Added]
- I3717: Verify that all Namespaces have Network Policies defined [Added]
T5896: Verify the use of external secrets management for Kubernetes (Kubernetes Master Node Secrets) [Added]
- P3568: Insecure Secret Management in Kubernetes (Kubernetes Master Node) [Added]
- I3718: Verify that secrets are managed as files instead of environment variables [Added]
- I3719: Verify that external secret storage is considered [Added]
T5897: Bind scheduler service to loopback addresses (Kubernetes Master Node) [Added]
- I3677: Verify that the --bind-address argument is set to 127.0.0.1 [Added]
T5898: Implement restrictions on pod creation in Kubernetes (Kubernetes Master Node) [Added]
- P3565: Unrestricted Pod Creation (Kubernetes Master Node) [Added]
- I3579: Client certificate authentication should not be used for users [Added]
- I3580: Service account token authentication should not be used for users [Added]
- I3581: Bootstrap token authentication should not be used for users [Added]
- I3584: Ensure that the cluster-admin role is only used where required [Added]
- I3585: Minimize access to secrets [Added]
- I3586: Minimize wildcard use in Roles and ClusterRoles [Added]
- I3587: Minimize access to create pods [Added]
- I3590: Avoid use of system:masters group [Added]
- I3591: Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster [Added]
- I3592: Minimize access to create persistent volumes [Added]
- I3593: Minimize access to the proxy sub-resource of nodes [Added]
- I3594: Minimize access to the approval sub-resource of certificatesigningrequests objects [Added]
- I3595: Minimize access to webhook configuration objects [Added]
T5899: Implement a policy control mechanism in Kubernetes (Kubernetes Master Node) [Added]
- P3566: Lack of Policy Control Mechanism (Kubernetes Master Node) [Added]
- I3597: Ensure that the cluster has at least one active policy control mechanism in place [Added]
- I3598: Minimize the admission of privileged containers [Added]
- I3599: Minimize the admission of containers wishing to share the host process ID namespace [Added]
- I3600: Minimize the admission of containers wishing to share the host IPC namespace [Added]
- I3601: Minimize the admission of containers wishing to share the host network namespace [Added]
- I3602: Minimize the admission of containers with allowPrivilegeEscalation [Added]
- I3603: Minimize the admission of root containers [Added]
- I3604: Minimize the admission of containers with the NET_RAW capability [Added]
- I3605: Minimize the admission of containers with added capabilities [Added]
- I3606: Minimize the admission of containers with capabilities assigned [Added]
- I3607: Minimize the admission of Windows HostProcess Containers [Added]
- I3608: Minimize the admission of HostPath volumes [Added]
- I3609: Minimize the admission of containers which use HostPorts [Added]
- I3615: Create administrative boundaries between resources using namespaces [Added]
- I3616: Ensure that the seccomp profile is set to docker/default in your pod definitions [Added]
- I3618: The default namespace should not be used [Added]
T5900: Implement network policies in Kubernetes (Kubernetes Master Node) [Added]
- P3567: Lack of Network Traffic Control (Kubernetes Master Node) [Added]
- I3610: Ensure that the CNI in use supports Network Policies [Added]
- I3611: Ensure that all Namespaces have Network Policies defined [Added]
T5901: Implement an external secrets management system for Kubernetes (Kubernetes Master Node) [Added]
- P3568: Insecure Secret Management in Kubernetes (Kubernetes Master Node) [Added]
- I3612: Prefer using secrets as files over secrets as environment variables [Added]
- I3613: Consider external secret storage [Added]
T5902: Verify that audit logs are collected and managed (Amazon EKS) [Added]
- P3569: Lack of Robust Audit Log Management (Amazon EKS) [Added]
- I3758: Test that audit logs are enabled [Added]
- I3759: Verify that audit logs are collected and managed [Added]
T5903: Verify kubelet configuration permissions and ownership (Amazon EKS) [Added]
- P3570: Insecure Permissions on Kubelet Configuration Files (Amazon EKS) [Added]
- I3760: Verify that the kubeconfig file permissions are set to 644 or more restrictive [Added]
- I3761: Verify that the kubelet kubeconfig file ownership is set to root:root [Added]
- I3762: Verify that the kubelet configuration file has permissions set to 644 or more restrictive [Added]
- I3763: Verify that the kubelet configuration file ownership is set to root:root [Added]
T5904: Verify that anonymous requests to the Kubelet server are disabled (Amazon EKS) [Added]
- P3571: Anonymous Request Handling Vulnerability (Amazon EKS) [Added]
- I3764: Verify that Anonymous Auth is Not Enabled [Added]
- I3765: Verify that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I3766: Verify that a Client CA File is Configured [Added]
T5905: Test that the read-only port is disabled (Amazon EKS) [Added]
- P3572: Unauthorized Access via Read-Only Port (Amazon EKS) [Added]
- I3767: Verify that the --read-only-port is disabled [Added]
- I3768: Verify that the --streaming-connection-idle-timeout argument is not set to 0 [Added]
T5906: Verify Kubelet's iptables management settings (Amazon EKS) [Added]
- P3573: Unrestricted Event Logging Leading to Denial of Service (Amazon EKS) [Added]
- I3769: Verify that the --make-iptables-util-chains argument is set to true [Added]
- I3770: Verify that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture [Added]
T5907: Test kubelet client and server certificate rotation (Amazon EKS) [Added]
- P3574: Lack of Certificate Rotation (Amazon EKS) [Added]
- I3771: Verify that the --rotate-certificates argument is not present or is set to true [Added]
- I3772: Verify that the RotateKubeletServerCertificate argument is set to true [Added]
T5908: Verify that access to Kubernetes secrets is restricted (Amazon EKS) [Added]
- P3575: Excessive Privilege Assignment (Amazon EKS) [Added]
- I3773: Verify that the cluster-admin role is only used where required [Added]
- I3774: Verify that wildcard use in Roles and ClusterRoles is minimized [Added]
- I3775: Test the Cluster Access Manager API for EKS cluster access control management [Added]
- I3792: Verify that Kubernetes RBAC users are managed with AWS IAM Authenticator [Added]
- I3804: Test that access to secrets is minimized [Added]
- I3805: Test that access to create pods is minimized [Added]
- I3806: Verify that default service accounts are not actively used [Added]
- I3807: Verify that Service Account Tokens are only mounted where necessary [Added]
- I3808: Verify the limited use of Bind, Impersonate and Escalate permissions in the Kubernetes cluster [Added]
T5909: Verify that containers do not run with elevated privileges (Amazon EKS) [Added]
- P3576: Excessive Container Privileges (Amazon EKS) [Added]
- I3776: Test that the admission of privileged containers is minimized [Added]
- I3777: Test minimizing the admission of containers wishing to share the host process ID namespace [Added]
- I3778: Test minimizing the admission of containers wishing to share the host IPC namespace [Added]
- I3779: Verify that the admission of containers wishing to share the host network namespace is minimized [Added]
- I3780: Test that the admission of containers minimizes allowPrivilegeEscalation [Added]
T5910: Test network policies to isolate traffic in your cluster network (Amazon EKS) [Added]
- P3577: Lack of Network Policies (Amazon EKS) [Added]
- I3781: Verify that CNI plugin supports network policies [Added]
- I3809: Verify that all Namespaces have Network Policies defined [Added]
T5911: Verify the use of external secrets management for Kubernetes (Amazon EKS) [Added]
- P3578: Insecure Secret Management in Kubernetes (Amazon EKS) [Added]
- I3810: Verify that secrets are managed as files instead of environment variables [Added]
- I3811: Verify that external secret storage is considered [Added]
T5912: Verify that namespaces are used to isolate Kubernetes objects (Amazon EKS) [Added]
- P3579: Lack of Resource Isolation and Access Control (Amazon EKS) [Added]
- I3782: Verify that the default namespace is not used [Added]
- I3812: Test administrative boundaries between resources using namespaces [Added]
T5913: Test that images deployed to Amazon EKS are scanned for vulnerabilities (Amazon EKS) [Added]
- P3580: Lack of Vulnerability Scanning for Container Images (Amazon EKS) [Added]
- I3783: Verify Image Vulnerability Scanning using Amazon ECR [Added]
T5914: Verify the Cluster Service Account configuration for read-only access (Amazon EKS) [Added]
- P3581: Excessive Permissions for Cluster Service Account (Amazon EKS) [Added]
- I3784: Test that cluster access to Amazon ECR is minimized to read-only [Added]
T5915: Verify that Kubernetes workloads use dedicated Service accounts (Amazon EKS) [Added]
- P3582: Lack of Dedicated Service Accounts for Kubernetes Workloads (Amazon EKS) [Added]
- I3785: Verify that dedicated EKS Service Accounts are used [Added]
T5916: Test that Kubernetes secrets are encrypted during Amazon EKS cluster creation (Amazon EKS) [Added]
- P3583: Unencrypted Kubernetes Secrets (Amazon EKS) [Added]
- I3786: Verify that Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS [Added]
T5917: Verify that Endpoint Private Access is enabled (Amazon EKS) [Added]
- P3584: Unrestricted Access to Kubernetes Control Plane (Amazon EKS) [Added]
- I3787: Test Restrict Access to the Control Plane Endpoint [Added]
- I3788: Verify that clusters are created with Private Endpoint Enabled and Public Access Disabled [Added]
- I3789: Verify that clusters are created with Private Nodes [Added]
T5918: Test the network policy implementation options for EKS (Amazon EKS) [Added]
- P3577: Lack of Network Policies (Amazon EKS) [Added]
- I3790: Verify that Network Policy is Enabled and set as appropriate [Added]
- I3791: Verify that traffic is encrypted to HTTPS load balancers with TLS certificates [Added]
T5919: Implement a robust audit log management process in EKS (Amazon EKS) [Added]
- P3569: Lack of Robust Audit Log Management (Amazon EKS) [Added]
- I3725: Enable audit Logs [Added]
- I3726: Ensure audit logs are collected and managed [Added]
T5920: Implement secure permissions for kubelet configuration files (Amazon EKS) [Added]
- P3570: Insecure Permissions on Kubelet Configuration Files (Amazon EKS) [Added]
- I3727: Ensure that the kubeconfig file permissions are set to 644 or more restrictive [Added]
- I3728: Ensure that the kubelet kubeconfig file ownership is set to root:root [Added]
- I3729: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive [Added]
- I3730: Ensure that the kubelet configuration file ownership is set to root:root [Added]
T5921: Secure Kubelet Server by Disabling Anonymous Requests (Amazon EKS) [Added]
- P3571: Anonymous Request Handling Vulnerability (Amazon EKS) [Added]
- I3731: Ensure that the Anonymous Auth is Not Enabled [Added]
- I3732: Ensure that the --authorization-mode argument is not set to AlwaysAllow [Added]
- I3733: Ensure that a Client CA File is Configured [Added]
T5922: Disable read-only port to enhance system security (Amazon EKS) [Added]
- P3572: Unauthorized Access via Read-Only Port (Amazon EKS) [Added]
- I3734: Ensure that the --read-only-port is disabled [Added]
- I3735: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 [Added]
T5923: Configure eventRecordQPS in Kubelet settings (Amazon EKS) [Added]
- P3573: Unrestricted Event Logging Leading to Denial of Service (Amazon EKS) [Added]
- I3736: Ensure that the --make-iptables-util-chains argument is set to true [Added]
- I3737: Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture [Added]
T5924: Implement certificate rotation for Kubernetes clusters (Amazon EKS) [Added]
- P3574: Lack of Certificate Rotation (Amazon EKS) [Added]
- I3738: Ensure that the --rotate-certificates argument is not present or is set to true [Added]
- I3739: Ensure that the RotateKubeletServerCertificate argument is set to true [Added]
T5925: Restrict access to Kubernetes secrets and roles (Amazon EKS) [Added]
- P3575: Excessive Privilege Assignment (Amazon EKS) [Added]
- I3740: Ensure that the cluster-admin role is only used where required [Added]
- I3741: Ensure that default service accounts are not actively used. [Added]
- I3742: Ensure that Service Account Tokens are only mounted where necessary [Added]
- I3743: Cluster Access Manager API to streamline and enhance the management of access controls within EKS clusters [Added]
- I3757: Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes or Upgrade to AWS CLI v1.16.156 or greater [Added]
- I3793: Minimize access to secrets [Added]
- I3794: Minimize wildcard use in Roles and ClusterRoles [Added]
- I3795: Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster [Added]
T5926: Restrict container privileges in Kubernetes (Kubernetes) [Added]
- P3576: Excessive Container Privileges (Amazon EKS) [Added]
- I3744: Minimize the admission of privileged containers [Added]
- I3745: Minimize the admission of containers with allowPrivilegeEscalation [Added]
- I3796: Minimize the admission of containers wishing to share the host process ID namespace [Added]
- I3797: Minimize the admission of containers wishing to share the host IPC namespace [Added]
- I3798: Minimize the admission of containers wishing to share the host network namespace [Added]
T5927: Implement network policies for enhanced security in Kubernetes (Amazon EKS) [Added]
- P3577: Lack of Network Policies (Amazon EKS) [Added]
- I3746: Ensure CNI plugin supports network policies. [Added]
- I3799: Ensure that all Namespaces have Network Policies defined [Added]
T5928: Organize and Isolate Resources with Kubernetes Namespaces (Amazon EKS) [Added]
- P3579: Lack of Resource Isolation and Access Control (Amazon EKS) [Added]
- I3802: Create administrative boundaries between resources using namespaces [Added]
- I3803: The default namespace should not be used [Added]
T5929: Implement a vulnerability scanning process for deployed images (Amazon EKS) [Added]
- P3580: Lack of Vulnerability Scanning for Container Images (Amazon EKS) [Added]
- I3747: Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider [Added]
T5930: Restrict Cluster Service Account Permissions for Amazon ECR (Amazon EKS) [Added]
- P3581: Excessive Permissions for Cluster Service Account (Amazon EKS) [Added]
- I3748: Minimize user access to Amazon ECR [Added]
- I3749: Minimize cluster access to read-only for Amazon ECR [Added]
T5931: Implement encryption for Kubernetes secrets (Amazon EKS) [Added]
- P3583: Unencrypted Kubernetes Secrets (Amazon EKS) [Added]
- I3751: Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS [Added]
T5932: Restrict access to the Kubernetes control plane (Amazon EKS) [Added]
- P3584: Unrestricted Access to Kubernetes Control Plane (Amazon EKS) [Added]
- I3752: Restrict Access to the Control Plane Endpoint [Added]
- I3753: Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled [Added]
- I3754: Ensure clusters are created with Private Nodes [Added]
T5933: Implement network policies for enhanced security (Amazon EKS) [Added]
- P3577: Lack of Network Policies (Amazon EKS) [Added]
- I3755: Ensure Network Policy is Enabled and set as appropriate [Added]
- I3756: Encrypt traffic to HTTPS load balancers with TLS certificates [Added]
T5934: Implement an external secrets management system for Kubernetes (Amazon EKS) [Added]
- P3578: Insecure Secret Management in Kubernetes (Amazon EKS) [Added]
- I3800: Prefer using secrets as files over secrets as environment variables [Added]
- I3801: Consider external secret storage [Added]
T5935: Implement dedicated service accounts for Kubernetes workloads (Amazon EKS) [Added]
- P3582: Lack of Dedicated Service Accounts for Kubernetes Workloads (Amazon EKS) [Added]
- I3750: Prefer using dedicated EKS Service Accounts [Added]
T5936: Verify that the kubelet service file permissions are secure (Kubernetes Worker Node) [Added]
- P3585: Insecure File Permissions on Configuration Files (Kubernetes Worker Node) [Added]
T5937: Implement strict file permissions for Kubernetes configuration files (Kubernetes Worker Node) [Added]
- P3585: Insecure File Permissions on Configuration Files (Kubernetes Worker Node) [Added]
Changes to Project Properties and Profiles
- Q193: Components
  - Q101: Components In Development
    - A1077: Firmware, embedded, or hardware solution [Updated]
      - INFO: Updated the children.
- Q195: Language and Framework
  - Q109: Programming Language
    - Q110: Technology/Framework
      - A2319: Vue.js [Added]
- Q206: Privacy
  - Q160: Handles Personal Data
    - Q454: US State-Specific Privacy Legislation
      - A1255: California Civil Code (CCPA and CPRA) [Updated]
        
        INFO: Updated the question.
      - A1256: CalOPPA [Updated]
        
        INFO: Updated the question.
      - A1996: Virginia CDPA [Updated]
        
        INFO: Updated the description and match conditions.
      - A1997: Colorado PA [Updated]
        
        INFO: Updated the match conditions.
      - A1998: Connecticut PDPOM [Updated]
        
        INFO: Updated the match conditions.
      - A1999: Utah CPA [Updated]
        
        INFO: Updated the match conditions.
      - A2000: Oregon PL [Updated]
        
        INFO: Updated the match conditions.
      - A2001: Texas DPSA [Updated]
        
        INFO: Updated the match conditions.
      - A2002: Montana CDPA [Updated]
        
        INFO: Updated the description and match conditions.
      - A2214: Delaware PDPA [Added]
      - A2215: Iowa CDPA [Added]
      - A2216: Nebraska DPA [Added]
      - A2217: New Hampshire DPA [Added]
      - A2218: New Jersey DPA [Added]
- Q207: Application Layer
  - Q186: Application Layer Protocols Used
    - A2317: gRPC [Added]
- Q211: Development Tools
  - Q364: Version Control Platforms [Updated]
    - INFO: Updated the text.
- Q237: Compliance Scope: Other
  - Q489: In scope for EN 18031 [Added]
    - Q490: Specific details about your device (Related to 18031-1) [Added]
      - A2259: There are legal restrictions that prevent the implementation of access control [Added]
      - A2260: The device is designed in a fashion or deployed in an environment where physical/logical measures make unauthorized access to sensitive/confidential information in transit impossible [Added]
      - A2261: The device is designed in a fashion or deployed in an environment where physical/logical measures make unauthorized access to sensitive/confidential information at rest impossible [Added]
      - A2262: An absence of authentication features is necessary for your device's functionality [Added]
      - A2263: Your device does not have software update capabilities because of functional safety [Added]
      - A2264: Your device's software is immutable [Added]
      - A2265: Your device's network interfaces are used solely in a local network that does not interoperate with other networks [Added]
      - A2266: Your device exchanges data between different networks to permanently connect other devices directly to the internet [Added]
      - A2267: Conflicting security goals do not allow for implementing functionality for changing authenticator information [Added]
      - A2268: Other devices in your device's network provide sufficient protection against DoS attacks and loss of essential network operation functions [Added]
      - A2269: Alternative measures to software updates adequately protect the affected security and network assets throughout the device's lifecycle [Added]
      - A2270: Your device is meant to be publically accessed [Added]
      - A2271: Your device's software affects network or security assets [Added]
      - A2272: Your device requires deviation from secure communication best practices concerning integrity/authenticity for interoperability reasons [Added]
      - A2273: Your device manages access to network/security objects over user interfaces where physical or logical measures in the environment provide confidence in the correctness of the entity's claim [Added]
      - A2274: Managed access is only used for reading personal information, privacy functions, or privacy function configuration where access without authentication is needed to enable intended equipment functionality [Added]
      - A2275: Managed access is only used for reading personal information, privacy functions, or privacy function configuration where legal implications do not allow for authentication mechanisms [Added]
      - A2276: Temporary exposure of network assets or security assets is required as part of establishing or managing a connection [Added]
      - A2277: Deviation from confidentiality best practices is inevitable for interoperability reasons [Added]
      - A2278: Duplicate transfer of information to your device's network interface does not constitute a replay attack [Added]
      - A2279: Deviation from best practices against replay attacks is inevitable for interoperability reasons [Added]
      - A2280: Your device uses preinstalled confidential cryptographic keys to establish initial trust relationships under conditions controlled by an authorized entity [Added]
      - A2281: Your device uses preinstalled confidential cryptographic keys that are shared parameters required for the equipment's intended functionality [Added]
      - A2282: Your device currently has publicly-known and exploitable hardware or software vulnerabilities that affect security or network assets and have not been risk-addressed [Added]
      - A2283: Your device exposes network interface or services in its factory default state which affect security or network assets [Added]
      - A2284: Your device has an external interface that is capable of receiving input [Added]
      - A2285: Your device uses or generates confidential cryptographic keys [Added]
    - A2258: In scope for EN 18031-1 [Added]
- Q243: Internal Hidden Properties
  - Q189: Internal Properties (Use this, for all hidden answers)
    - A718: The application is a generic server application [Updated]
      - INFO: Updated the children.
    - A740: This is a new project [Updated]
      - INFO: Updated the children.
    - A1061: Set of default answers for software profiles [Updated]
      - INFO: Updated the text and children.
    - A2008: LLM Role-based [Updated]
      - INFO: Updated the match conditions.
    - A2009: LLM Role-agnostic [Updated]
      - INFO: Updated the match conditions.
    - A2010: MD Role-based [Updated]
      - INFO: Updated the match conditions.
    - A2011: MD Role-agnostic [Updated]
      - INFO: Updated the match conditions.
    - A2309: IBM Cloud All Services [Added]
    - A2320: Classification Off [Added]
- Q289: Cloud Computing
  - Q290: Cloud Providers
    - A2308: IBM Cloud [Added]
- Q299: General
  - Q375: CI/CD Tools
    - A2257: JFrog [Added]
- Q307: Containerization
  - Q308: Containerization Technologies
    - Q506: Kubernetes Profiles [Added]
      - A2310: Master Node [Added]
      - A2311: Worker Node [Added]
- Q362: Microsoft Azure
  - Q306: Azure Services
    - Q502: Azure Windows Profiles [Added]
      - A2314: Member Server [Added]
      - A2315: Domain Controller [Added]
    - Q370: More Azure Services
      - A1196: Azure Multi-Factor Authentication [Unpublished]
      - A1204: Azure Key Vault [Updated]
        
        INFO: Updated the question.
  - Q365: Azure Cloud Configuration
    - A2132: Azure Subscriptions [Added]
- Q369: Network Technologies
  - Q372: Network Components
    - Q507: Message Brokers [Added]
      - A2316: Apache Kafka [Added]
- Q461: AI and Machine Learning
  - Q357: Artificial Intelligence/Machine Learning
    - Q457: AI Content Organization
      - A1629: Role-based AI content [Updated]
        
        INFO: Updated the children.
      - A2007: Role-agnostic AI content [Updated]
        
        INFO: Updated the children.
    - A2223: Agentic AI (LLM-Based) [Added]
- Q503: IBM Cloud [Added]
  - Q488: IBM Cloud Services [Added]
    - A2246: IBM Cloud VPC [Added]
    - A2247: IBM Cloud Object Storage [Added]
    - A2248: IBM Key Management Services [Added]
    - A2249: IBM Cloud Container Registry [Added]
    - A2250: IBM Cloud Database [Added]
    - A2251: IBM Cloudant [Added]
    - A2252: IBM Cloud Internet Services [Added]
    - A2253: IBM Key Protect [Added]
    - A2254: IBM Cloud Block Storage [Added]
    - A2255: IBM Cloud Activity Tracker [Added]
    - A2256: IBM Cloud Kubernetes Service [Added]
Added Components
- SC807: IBM Cloud VPC
- SC808: IBM Cloud Object Storage
- SC809: IBM Key Management Services
- SC810: IBM Cloud Container Registry
- SC811: IBM Cloud Database
- SC812: IBM Cloudant
- SC813: IBM Cloud Internet Services
- SC814: IBM Key Protect
- SC815: IBM Cloud Block Storage
- SC816: IBM Cloud Activity Tracker
- SC817: IBM Cloud Kubernetes Service
- SC818: JFrog
- SC819: Apache Kafka
Updated Components
- SC64: Amazon EKS
  - INFO: Updated the description.

2025.1

April 26, 2025

New features and enhancements

System View and Compliance Report Export
- Behind a feature flag, we have added a new dedicated dashboard for users to manage a grouping of projects into one system view.
- Added the ability to also export a compliance report based off a regulation (i.e. GDPR) under a selected System view, which will group all the projects in a CSV with the Task ID, Project Name, and Task Status (grouped by the tasks).
Jira, Skip & Log UX Enhancement
- Added improved error messaging on the Jira sync logs when Skip & Log is enabled, providing not only every error that occurred but also included the Task ID and the Jira URL link (if available).
RIA JIRA Comment Sync support
- We have extended the in-app JIRA comment Sync to be supported in RIA installations
- JIRA Comment Sync will have the same configurations as the current functionality but will sync comments within the existing sync process between tasks
New Library Threats UI and API
- Added the ability to surface threats in the Library and to create and manage custom/builtin threats.
  - Added the ability to filter the Library Countermeasures page by active status, type, and CAPEC.
  - Added the ability to save a copy of an existing Library Threat.
  - Added the ability for users to map Threats to Weaknesses and CAPECs.
  - Added full create, read, update, and delete via Library Threats API.
New Library Countermeasure List Page Improvements
- Added the ability to retain and share curated search results for library countermeasure page.
- Added the ability to configure the Countermeasure table to user preferences and expand full width.
- Added a new UX filter that allows users to intuitively select multiple filters.
- Modified labels are now present in read-only view.
Navigator
- Added a generative AI-powered conversationalist interface within SD Elements that enables users to interact intuitively with the SD Elements Library.

Updates

EOL of Integrations
- Informing that we have integrations that have not been used actively in the last 2 years and will be EOL for 2025.1 release
- The following Integrations will be removed: Archer, VersionOne, IBM RTC, Pivotal Tracker; HP WebInspect, & Mend - Please see the User Guide documentation here.

Summary of content updates

Improved the content of several countermeasures and weaknesses for clarity and currency.
EU Data Act
- Added a new compliance regulation
- 10 new countermeasures and 10 weaknesses were created to cover as much relevant content from the Act as possible
- 7 terms were added to the Glossary and referenced in the content to clarify legal language when specific terms are used.
Mobile content
- iOS: 6 new countermeasures, 6 corresponding test tasks, and 6 weaknesses
- Android: 3 new countermeasures, 3 corresponding test tasks, and 3 weaknesses
New Just-in-Time Training
- iOS/Swift
- Android/Kotlin
CIS AWS Foundations
- Added new countermeasures, weaknesses, and howtos. Updated existing countermeasures.
- Added a new regulation report for AWS Foundations 4.0.1.
Components Added new components: blockchain, smart contract, Containerd, low-code/no-code, and Micronaut.
Accessibility
- Added a dependent component.
- Added regulation report for Web Content Accessibility Guidelines (WCAG) 2.1

EU Radio Equipment Directive (EU RED)

- Added a new compliance regulation 
- Added 14 new countermeasures and 13 new weaknesses

Content additions and updates (as of April 1, 2025):

Added JITTs
- Secure Software Design (26)
- Defending iOS (26)
- Defending Swift (26)
Compliance Regulations and Mappings
- Added Web Content Accessibility Guidelines (WCAG) 2.1
- Added EU Data Act
- Added MITRE ATLAS
- Added OWASP Top 10 for LLM Applications 2025
- Added CIS AWS Foundations v4.0.1
- Added CIS Azure Compute Services
- Added ISO 27701
- Added CIS Oracle Cloud Infrastructure
- Added EU Radio Equipment Directive (RED)
- Added 2024 CWE Top 25 Most Dangerous Software Weaknesses
- Added India Digital Personal Data Protection Act (DPDPA) 2023
- Updated ASD-STIG [INFO: Updated the regulation sections].
- Updated PCI-SSS-v1.2.1 [INFO: Updated the regulation sections].
- Updated US AI Regulation [INFO: Updated the regulation sections].
- Updated US AI Regulation [INFO: Updated the regulation sections].
Content Packs
- Added Blockchain
- Added Smart Contract
- Added Containerd
- Added Accessibility
- Added EU Data Act
- Added Low-Code/No-Code
- Added Micronaut
- Added CIS Azure Compute Services
- Added ISO 27701 (2019)
- Added CIS Oracle Cloud Infrastructure
- Added Oracle
- Added EU RED
- Added EN 18031-1
- Added India DPDPA
- Updated EU AI Act [INFO: Updated the created date time].
- Updated CircleCI [INFO: Updated the created date time].
- Updated EU Digital Operational Resilience Act [INFO: Updated the created date time].
T146: Use encryption for network communications in mobile environments
- TA6250: Enabling Confidentiality on the Air Interface [Updated]
  - INFO: Updated the match conditions.
- TA6251: Ensure Confidentiality Protection of S1 Interface [Updated]
  - INFO: Updated the match conditions.
T176: Apply principles of privacy when handling personal information
- TA7098: Breach prevention [Added]
- TA7102: Data protection officer [Added]
- TA7103: Independent data auditor [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T179: Allow access for users to remove their personal information from the system
- TA7100: Data retention and disposal [Added]
T207: Provide special data protection for children's personal information
- TA7101: Children data protection [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T313: Identify and classify categories of personal information
- TA7097: Data quality and accuracy [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T663: Delete root user access keys in AWS (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1923: Ensure no 'root' user account access key exists [Added]
- I1926: Eliminate use of the 'root' user for administrative and daily tasks [Added]
T664: Enable Multi-Factor Authentication for AWS Console Access (AWS Identity and Access Management) [Updated]
- INFO: Updated the title and text.
- I1929: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password [Added]
T665: Deactivate unused AWS IAM credentials (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1931: Ensure credentials unused for 45 days or more are disabled [Added]
T666: Rotate access keys regularly in AWS (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1933: Ensure access keys are rotated every 90 days or less [Added]
T667: Enforce password complexity with IAM password policies (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1927: Ensure IAM password policy requires minimum length of 14 or greater [Added]
- I1928: Ensure IAM password policy prevents password reuse [Added]
T671: Enable Multi-Factor Authentication for AWS Root Account (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1924: Ensure MFA is enabled for the 'root' user account [Added]
T672: Establish security questions for AWS support authentication (AWS Support Portal) [Updated]
- INFO: Updated the title and text.
- I1922: Ensure security questions are registered in the AWS account [Added]
T673: Add users to IAM groups with attached policies (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1934: Ensure IAM users receive permissions only through groups [Added]
T676: Ensure contact details are current in AWS accounts (AWS Account Management) [Updated]
- INFO: Updated the title and text.
- I1920: Maintain current contact details [Added]
T677: Specify contact information for account's security team (AWS Account Management) [Updated]
- INFO: Updated the title and text.
- I1921: Ensure security contact information is registered [Added]
T678: Create an IAM Role for Incident Management (AWS Support) [Updated]
- INFO: Updated the title and text.
- I1936: Ensure a support role has been created to manage incidents with AWS Support [Added]
T679: Create IAM User Credentials for Access (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1930: Do not create access keys during initial setup for IAM users with a console password [Added]
T680: Implement least privilege access with IAM policies (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1935: Ensure IAM policies that allow full ":" administrative privileges are not attached [Added]
T681: Record AWS API calls with AWS CloudTrail (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I1950: Ensure CloudTrail is enabled in all regions [Added]
T684: Enable AWS Config for Configuration Management (AWS Config) [Updated]
- INFO: Updated the title and text.
- I1952: Ensure AWS Config is enabled in all regions [Added]
T685: Enable server access logging for S3 buckets (AWS S3) [Updated]
- INFO: Updated the title and text.
- I1953: Ensure that server access logging is enabled on the CloudTrail S3 bucket [Added]
- I1957: Ensure that object-level logging for write events is enabled for S3 buckets [Added]
- I1958: Ensure that object-level logging for read events is enabled for S3 buckets [Added]
T686: Establish metric filters and alarms for API calls in AWS CloudTrail (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I1959: Ensure unauthorized API calls are monitored [Added]
- I1960: Ensure management console sign-in without MFA is monitored [Added]
- I1961: Ensure usage of the 'root' account is monitored [Added]
- I1962: Ensure IAM policy changes are monitored [Added]
- I1963: Ensure CloudTrail configuration changes are monitored [Added]
- I1964: Ensure AWS Management Console authentication failures are monitored [Added]
- I1965: Ensure disabling or scheduled deletion of customer created CMKs is monitored [Added]
- I1966: Ensure S3 bucket policy changes are monitored [Added]
- I1967: Ensure AWS Config configuration changes are monitored [Added]
- I1968: Ensure security group changes are monitored [Added]
- I1969: Ensure Network Access Control List (NACL) changes are monitored [Added]
- I1970: Ensure changes to network gateways are monitored [Added]
- I1971: Ensure route table changes are monitored [Added]
- I1972: Ensure VPC changes are monitored [Added]
- I1973: Ensure AWS Organizations changes are monitored [Added]
- I1974: Ensure AWS Security Hub is enabled [Added]
T688: Restrict Ingress Access to Remote Server Administration Ports (AWS Network Access Control List) [Updated]
- INFO: Updated the title and text.
- I1975: Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports [Added]
- I1976: Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports [Added]
- I1977: Ensure no security groups allow ingress from ::/0 to remote server administration ports [Added]
T689: Protect the 'root' user account with hardware MFA (AWS Identity and Access Management) [Updated]
- INFO: Updated the title and text.
- I1925: Ensure hardware MFA is enabled for the 'root' user account [Added]
T690: Assign IAM Roles to EC2 Instances for AWS Access (AWS EC2) [Updated]
- INFO: Updated the title and text.
- I1937: Ensure IAM instance roles are used for AWS resource access from instances [Added]
T691: Enable file validation for CloudTrail logs (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I1951: Ensure CloudTrail log file validation is enabled [Added]
T692: Configure AWS CloudTrail to use SSE-KMS for enhanced security (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I1954: Ensure CloudTrail logs are encrypted at rest using KMS CMKs [Added]
T693: Enable CMK key rotation for AWS Key Management Service (AWS KMS) [Updated]
- INFO: Updated the title and text.
- I1955: Ensure rotation for customer-created symmetric CMKs is enabled [Added]
T694: Capture IP traffic information with VPC Flow Logs (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I1956: Ensure VPC flow logging is enabled in all VPCs [Added]
T695: Restrict all traffic in the default security group (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I1978: Ensure the default security group of every VPC restricts all traffic [Added]
T696: Update routing tables for VPC peering connections (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I1979: Ensure routing tables for VPC peering are "least access" [Added]
T697: Verify that the 'root' user account access keys are deleted (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1986: Verify that no 'root' user account access key exists [Added]
- I1989: Test that the 'root' user is not used for administrative and daily tasks [Added]
T698: Verify that Multi-Factor Authentication is enabled for all accounts (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1992: Verify that multi-factor authentication is enabled for all IAM users [Added]
T699: Verify that unused AWS IAM credentials are deactivated (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1994: Verify that unused credentials are disabled after 45 days [Added]
T700: Verify that access keys are rotated regularly (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1996: Verify that access keys are rotated every 90 days or less [Added]
T701: Verify that IAM password policies enforce complexity requirements (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1990: Verify that IAM password policy requires minimum length of 14 or greater [Added]
- I1991: Verify that IAM password policy prevents password reuse [Added]
T705: Verify that Multi-Factor Authentication is enabled for root accounts (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1987: Verify that MFA is enabled for the 'root' user account [Added]
T706: Verify that security questions are established for account authentication (AWS Support Portal) [Updated]
- INFO: Updated the title and text.
- I1985: Verify that security questions are registered in the AWS account [Added]
T707: Verify that IAM policies enforce least privilege (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1997: Verify that IAM users receive permissions only through groups [Added]
- I1998: Verify that IAM policies do not allow full administrative privileges [Added]
T710: Verify that contact details for AWS accounts are current (AWS Account Management) [Updated]
- INFO: Updated the title and text.
- I1983: Verify that the application's contact details are maintained [Added]
T711: Verify that the account's security team contact information is specified (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1984: Verify that security contact information is registered [Added]
T712: Verify that IAM Roles are configured for incident management (AWS Support) [Updated]
- INFO: Updated the title and text.
- I1999: Verify that a support role has been created to manage incidents with AWS Support [Added]
T713: Verify that IAM user access types are configured correctly (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I1993: Verify that access keys are not created during initial setup for IAM users with a console password [Added]
T715: Verify that AWS API calls are logged and monitored (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I2013: Verify that CloudTrail is enabled in all regions [Added]
T718: Verify that AWS Config is enabled in all regions (AWS Config) [Updated]
- INFO: Updated the title and text.
- I2015: Verify that AWS Config is enabled in all regions [Added]
T719: Verify that server access logging is enabled for S3 buckets (AWS S3) [Updated]
- INFO: Updated the title and text.
- I2016: Verify that server access logging is enabled on the CloudTrail S3 bucket [Added]
- I2020: Verify that object-level logging for write events is enabled for S3 buckets [Added]
- I2021: Verify that object-level logging for read events is enabled for S3 buckets [Added]
T720: Verify that metric filters and alarms are established for unauthorized API calls (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I2022: Verify that unauthorized API calls are monitored [Added]
- I2023: Verify that management console sign-in without MFA is monitored [Added]
- I2024: Verify that the 'root' account usage is monitored [Added]
- I2025: Verify that IAM policy changes are monitored [Added]
- I2026: Verify that CloudTrail configuration changes are monitored [Added]
- I2027: Verify that AWS Management Console authentication failures are monitored [Added]
- I2028: Verify that the scheduled deletion of customer created CMKs is monitored [Added]
- I2029: Verify that S3 bucket policy changes are monitored [Added]
- I2030: Verify that AWS Config configuration changes are monitored [Added]
- I2031: Verify that security group changes are monitored [Added]
- I2032: Verify that Network Access Control List (NACL) changes are monitored [Added]
- I2033: Verify that changes to network gateways are monitored [Added]
- I2034: Verify that route table changes are monitored [Added]
- I2035: Verify that VPC changes are monitored [Added]
- I2036: Verify that AWS Organizations changes are monitored [Added]
- I2037: Verify that AWS Security Hub is enabled [Added]
T722: Verify that no NACL allows unrestricted ingress access to remote server administration ports (AWS Network Access Control List) [Updated]
- INFO: Updated the title and text.
- I2038: Verify that no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports [Added]
- I2039: Verify that security groups do not allow ingress from 0.0.0.0/0 to remote server administration ports [Added]
- I2040: Verify that security groups do not allow ingress from ::/0 to remote server administration ports [Added]
T723: Verify that the 'root' user account is protected with MFA (AWS Identity and Access Management) [Updated]
- INFO: Updated the title and text.
- I1988: Verify that hardware MFA is enabled for the 'root' user account [Added]
T724: Verify that AWS access is properly managed through roles (AWS IAM) [Updated]
- INFO: Updated the title and text.
- I2000: Verify that IAM instance roles are used for AWS resource access from instances [Added]
T725: Verify that CloudTrail log file validation is enabled (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I2014: Verify that CloudTrail log file validation is enabled [Added]
T726: Verify that CloudTrail logs are configured to use SSE-KMS (AWS CloudTrail) [Updated]
- INFO: Updated the title and text.
- I2017: Verify that CloudTrail logs are encrypted at rest using KMS CMKs [Added]
T727: Verify that key rotation is enabled for symmetric keys (AWS Key Management Service) [Updated]
- INFO: Updated the title and text.
- I2018: Verify that rotation for customer-created symmetric CMKs is enabled [Added]
T728: Verify that VPC Flow Logs are enabled for packet rejects (AWS VPC Flow Logs) [Updated]
- INFO: Updated the title and text.
- I2019: Verify that VPC flow logging is enabled in all VPCs [Added]
T729: Verify that the default security group restricts all traffic (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I2041: Verify that the default security group of every VPC restricts all traffic [Added]
T730: Verify that routing tables are updated for VPC peering connections (AWS VPC) [Updated]
- INFO: Updated the title and text.
- I2042: Verify that VPC peering routing tables enforce least access [Added]
T766: Encrypt data on Amazon RDS using AES-256 (Amazon RDS) [Updated]
- INFO: Updated the title and text.
- I1946: Ensure that encryption-at-rest is enabled for RDS instances [Added]
- I1947: Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances [Added]
- I1948: Ensure that RDS instances are not publicly accessible [Added]
- I1949: Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS [Added]
T767: Force encryption at EBS volume creation in Amazon EC2 (AWS Elastic Compute Cloud) [Updated]
- INFO: Updated the title and text.
- I1981: Ensure EBS volume encryption is enabled in all regions [Added]
T770: Configure S3 bucket policies for secure access (Amazon S3) [Updated]
- INFO: Updated the title and text.
- I1942: Ensure S3 Bucket Policy is set to deny HTTP requests [Added]
- I1943: Ensure MFA Delete is enabled on S3 buckets [Added]
- I1944: Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary [Added]
- I1945: Ensure that S3 is configured with 'Block Public Access' enabled [Added]
T799: Verify that RDS database instances restrict unauthorized access (Amazon RDS) [Updated]
- INFO: Updated the title and text.
- I2009: Verify that encryption-at-rest is enabled for RDS instances [Added]
- I2010: Verify that the Auto Minor Version Upgrade feature is enabled for RDS instances [Added]
- I2011: Verify that RDS instances are not publicly accessible [Added]
- I2012: Verify that Multi-AZ deployments are used for enhanced availability in Amazon RDS [Added]
T800: Verify that EBS volumes are encrypted at rest (AWS Elastic Compute Cloud) [Updated]
- INFO: Updated the title and text.
- I2044: Verify that EBS volume encryption is enabled in all regions [Added]
T803: Verify that Amazon S3 bucket permissions are configured for HTTPS access (AWS S3) [Updated]
- INFO: Updated the title and text.
- I2005: Verify that S3 Bucket Policy is set to deny HTTP requests [Added]
- I2006: Verify that MFA Delete is enabled on S3 buckets [Added]
- I2007: Verify that all data in Amazon S3 has been discovered, classified, and secured when necessary [Added]
- I2008: Verify that S3 is configured with 'Block Public Access' enabled [Added]
T1891: Perform Privacy Impact Assessment (PIA)
- TA7104: Data protection impact assessments [Added]
T2128: Notify users and regulators of breaches of personal information
- TA7099: Breach notification [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T2257: Regularly update and patch containerization systems [Updated]
- INFO: Updated the title, text, and, priority from 6 to 10.
T2444: Secure authentication to and from worker nodes (Containerization)
- I1816: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.3) [Unpublished]
- TA6272: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.3) [Unpublished]
T2445: Verify secure authentication to and from worker nodes (Containerization)
- TA6273: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.3) [Unpublished]
T2450: Protect worker nodes with proper flags and arguments (Containerization)
- I1819: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.6) [Unpublished]
- I1820: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.7) [Unpublished]
- I1821: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.8) [Unpublished]
- TA6278: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.6) [Unpublished]
- TA6280: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.7) [Unpublished]
- TA6282: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.8) [Unpublished]
T2451: Verify that worker nodes are protected with proper flags and arguments (Containerization)
- TA6279: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.6) [Unpublished]
- TA6281: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.7) [Unpublished]
- TA6283: CIS Azure Kubernetes Service (AKS) Benchmark v1.2.0 (Level 1, Recommendation 3.2.8) [Unpublished]
T2542: Address necessary human-AI configurations and oversight of AI systems
- TA7090: Human operators and businesses liability [Added]
T4015: Provide comprehensive technical documentation for high-risk AI systems
- TA7092: Documentation and risk assessment processes [Added]
T4019: Implement transparency with users of high-risk AI systems
- TA7093: Transparency and disclosure of information to consumers [Added]
T4024: Ensure the responsible and compliant use of high-risk AI systems by deployers
- TA7091: Risk management policies in AI systems [Added]
T4601: Prioritize static network configuration [Updated]
- INFO: Updated the title and text.
T4722: Implement decentralized mining pools [Added]
- P2530: Centralized Mining Power (Proof-of-Work Blockchains) [Added]
T4723: Implement identity verification to mitigate sybil attacks [Added]
- P2531: Lack of Identity Verification (Network Systems) [Added]
T4724: Implement diverse peer selection [Added]
- P2532: Lack of Diverse Peer Selection (Networked Applications) [Added]
T4725: Implement post-quantum cryptography [Added]
- P2533: Vulnerability to Quantum Decryption (Cryptographic Systems) [Added]
T4726: Conduct regular blockchain security awareness training [Added]
- P2534: Human Error Vulnerabilities in Organizational Security (General Workforce) [Added]
T4727: Implement secure routing protocols [Added]
- P2535: Insecure Routing Protocols (Network Infrastructure) [Added]
T4728: Implement traffic filtering and rate limiting [Added]
- P2536: Unrestricted Resource Consumption (Web Services) [Added]
T4729: Use hardware wallets [Added]
- P2537: Insecure Private Key Storage (Cryptocurrency Wallets) [Added]
T4730: Implement Multi-Factor Authentication (MFA) for blockchain systems [Added]
- P2538: Lack of Multi-Factor Authentication (Blockchain Systems) [Added]
T4731: Conduct regular blockchain security audits [Added]
- P2539: Lack of Regular Security Audits (General Software Systems) [Added]
T4732: Adopt OWASP framework for secure coding [Added]
- P2540: Lack of Secure Coding Practices (General Software Development) [Added]
T4733: Implement effective network segmentation [Added]
- P2541: Lack of Effective Network Segmentation (General Network Security) [Added]
T4734: Implement continuous monitoring for network activities [Added]
- P2542: Lack of Continuous Monitoring for Network Activities (General Network Security) [Added]
T4735: Implement Role-Based Access Control (RBAC) in blockchain systems [Added]
- P2543: Lack of Role-Based Access Control (RBAC) in Blockchain Systems [Added]
T4736: Implement secure access controls in smart contracts [Added]
- P2544: Lack of Secure Access Controls in Smart Contracts (Ethereum-based Smart Contracts) [Added]
T4737: Use require(), assert(), and revert() for smart contract safeguards [Added]
- P2545: Lack of Internal Safeguards in Smart Contracts (Solidity-based Smart Contracts) [Added]
T4738: Combine unit testing with property-based testing [Added]
- P2546: Inadequate Testing Framework for Smart Contracts (Smart Contract Platforms) [Added]
T4739: Commission a smart contract audit [Added]
- P2547: Lack of Independent Security Review in Smart Contracts (Smart Contract Platforms) [Added]
T4740: Store all code in a version control system [Added]
- P2548: Lack of Version Control System (General Software Development) [Added]
T4741: Implement contract upgrade mechanisms [Added]
- P2549: Lack of Contract Upgrade Mechanisms (Smart Contracts) [Added]
T4742: Implement a timelock for smart contract governance actions [Added]
- P2550: Immediate Execution of Governance Actions (Smart Contract Systems) [Added]
T4743: Reuse existing libraries for smart contracts [Added]
- P2551: Custom Implementation of Smart Contract Logic (Smart Contracts) [Added]
T4744: Implement checks-effects-interactions pattern [Added]
- P2552: Reentrancy Vulnerability (Smart Contracts) [Added]
T4745: Use a decentralized oracle network [Added]
- P2553: Oracle Manipulation Vulnerability (Blockchain-based Applications) [Added]
T4746: Ensure container images are secure [Added]
- P2554: Use of unverified container images [Added]
T4747: Limit container privileges [Added]
- P2555: Excessive container privileges [Added]
T4748: Implement Role-Based Access Control (RBAC) for container orchestration [Added]
- P2556: Lack of Role-Based Access Control (RBAC) in container orchestration environments [Added]
T4749: Monitor containers in real-time [Added]
- P2557: Lack of real-time monitoring in containerized environments [Added]
T4750: Isolate container networks [Added]
- P2558: Lack of network isolation in containerized environments [Added]
T4751: Reduce the attack surface of container images [Added]
- P2559: Excessive attack surface in container images [Added]
T4752: Implement authentication and logging for Containerd registry access [Added]
- P2560: Lack of authentication and logging for Containerd registry access (Containerd) [Added]
T4753: Implement image scanning for vulnerabilities in Containerd [Added]
- P2561: Lack of image scanning for vulnerabilities (Containerd) [Added]
T4754: Implement user namespaces in Containerd [Added]
- P2562: Lack of user namespace isolation (Containerd) [Added]
T4755: Regularly update and patch Containerd [Added]
- P2563: Outdated software vulnerabilities (Containerd) [Added]
T4756: Implement secure image management in Containerd [Added]
- P2564: Insecure image management in Containerd [Added]
T4757: Implement Role-Based Access Control (RBAC) for Containerd [Added]
- P2566: Lack of Role-Based Access Control (RBAC) in Containerd [Added]
T4758: Implement real-time monitoring for Containerd [Added]
- P2567: Lack of real-time monitoring in Containerd (Containerd) [Added]
T4759: Implement network namespaces for container isolation [Added]
- P2568: Lack of network namespace isolation (Containerd) [Added]
T4760: Remove unnecessary software, libraries, and services from Containerd images [Added]
- P2569: Excessive software, libraries, and services in Containerd images (Containerd) [Added]
T4761: Provide descriptive alternative text for images (accessibility) [Added]
- P2570: Lack of Descriptive Alternative Text for Images (Web Applications) [Added]
T4762: Provide descriptive text transcripts for non-live web-based audio (accessibility) [Added]
- P2571: Lack of Descriptive Text Transcripts for Non-Live Web-Based Audio (Web Applications) [Added]
T4763: Ensure logical and intuitive reading and navigation order (accessibility) [Added]
- P2572: Inconsistent Reading and Navigation Order (Web Applications) [Added]
T4764: Ensure sufficient contrast ratio for text and images of text (accessibility) [Added]
- P2573: Insufficient Contrast Ratio for Text and Images of Text (Web Applications) [Added]
T4765: Implement keyboard accessibility features (accessibility) [Added]
- P2574: Keyboard Navigation Weakness (Web Applications) [Added]
T4766: Allow users to control time limits and interruptions (accessibility) [Added]
- P2575: Lack of User Control Over Time Limits and Interruptions (Generic Web Applications) [Added]
T4767: Disable motion animation triggered by interaction (accessibility) [Added]
- P2576: Uncontrolled Motion Animation Triggered by Interaction (Affected Software) [Added]
T4768: Provide descriptive and informative page titles (accessibility) [Added]
- P2577: Lack of Descriptive and Informative Page Titles (Web Applications) [Added]
T4769: Ensure single pointer operation for gestures (accessibility) [Added]
- P2578: Inadequate Single Pointer Operation for Gestures (Affected Software) [Added]
T4770: Use the HTML lang attribute to identify the language of the page (accessibility) [Added]
- P2579: Lack of HTML lang Attribute (Web Applications) [Added]
T4771: Provide user control over substantial page changes (accessibility) [Added]
- P2580: Lack of User Control Over Substantial Page Changes (Web Applications) [Added]
T4772: Provide clear form validation and error handling (accessibility) [Added]
- P2581: Lack of Clear Form Validation and Error Handling (Web Applications) [Added]
T4773: Use accessible markup for status messages (accessibility) [Added]
- P2582: Inaccessible Status Messages (Web Applications) [Added]
T4794: Determine if the EU Data Act applies to your application (EU DA) [Added]
- P2608: Lack of identifying the compliance requirements applicable to your products and services (EU DA) [Added]
T4795: Ensure transparency and user control over the data with connected products and services (EU DA) [Added]
- P2609: Lack of transparency and user control over data access and usage (EU DA) [Added]
T4796: Ensure user data access rights and protection (EU DA) [Added]
- P2610: Inadequate user control, protection, and transparency in data handling by primary data holders and third parties (EU DA) [Added]
T4797: Adhere to data sharing protocol when making data available (EU DA) [Added]
- P2611: Unfair and incompliant data sharing practices (EU DA) [Added]
T4798: Make data availabe in case of exceptional need to use data (EU DA) [Added]
- P2612: Failure to provide timely data access to public sector bodies in specific situations (EU DA) [Added]
T4799: Facilitate efficient data processing service switching (EU DA) [Added]
- P2613: Failure to provide customer autonomy and flexibility within data processing services (EU DA) [Added]
T4800: Prevent unauthorized international data access (EU DA) [Added]
- P2614: Mishandling international data transfer requests (EU DA) [Added]
T4801: Implement interoperability requirements (EU DA) [Added]
- P2615: Lack of standardized data interoperability and efficient data exchange mechanisms across diverse platforms and services (EU DA) [Added]
T4802: Ensure compliance with essential smart contract requirements (EU DA) [Added]
- P2616: Lack of adherence to standards of security, reliability, and legality for smart contracts used in data sharing (EU DA) [Added]
T4803: Monitor and respond to unauthorized data use (EU DA) [Added]
- P2617: lack of proper response to unauthorized data use (EU DA) [Added]
T4828: Deploy ensemble model defense against adversarial attacks [Added]
T4829: Implement preprocessing defense against adversarial perturbations [Added]
T4830: Ensure aligned training of generative AI models [Added]
T4831: Test robustness of ensemble models against adversarial inputs [Added]
T4832: Test effectiveness of preprocessing against adversarial perturbations [Added]
T4833: Test fine-tuning alignement of generative AI models [Added]
T4834: Implement protection against system prompt leakage [Added]
T4835: Implement defenses against vector and embedding weaknesses [Added]
- P2620: Vector and embedding vulenrabilities in Large Language Models [Added]
T4836: Implement verification and fact-checking to mitigate misinformation [Added]
T4837: Test effectiveness of protections against system prompt leakage [Added]
T4838: Test effectiveness of defenses against vector and embedding weaknesses [Added]
- P2620: Vector and embedding vulenrabilities in Large Language Models [Added]
T4839: Test effectiveness of misinformation mitigatation [Added]
T5230: Additional ASD-STIG requirements for T71 [Added]
- TA7087: ASD-STIG requirements [Added]
T5232: Additional ASD-STIG requirements for T45 [Added]
- TA7088: ASD-STIG requirements [Added]
T5233: Additional ASD-STIG requirements for T437 [Added]
- TA7089: ASD-STIG requirements [Added]
T5500: Adhere to the principle of least privilege (low-code/no-code) [Added]
- P3344: Excessive Privilege Assignment in Low-Code/No-Code Applications [Added]
T5501: Disable or monitor the use of implicitly shared connections (low-code/no-code) [Added]
- P3345: Implicitly Shared Connections in Low-Code/No-Code Platforms [Added]
T5502: Limit connectors to an approved services list (low-code/no-code) [Added]
- P3346: Unrestricted Connector Usage in Low-Code/No-Code Platforms [Added]
T5503: Limit connection creation to dedicated personnel (low-code/no-code) [Added]
- P3347: Insecure Connection Management (Low-Code/No-Code Applications) [Added]
T5504: Implement a change management system for tenant-level configuration (low-code/no-code) [Added]
- P3348: Lack of Change Management System for Tenant-Level Configuration (Low-Code/No-Code Platforms) [Added]
T5505: Sanitize user input (low-code/no-code) [Added]
- P3349: Improper Input Handling in Low-Code/No-Code Applications [Added]
T5506: Continuously inventory and scan application components (low-code/no-code) [Added]
- P3350: Use of Deprecated or Vulnerable Components (Low-Code/No-Code Development Platforms) [Added]
T5507: Educate business users on the compliance, privacy, and security risks related to data storage (low-code/no-code) [Added]
- P3351: Lack of User Awareness on Data Compliance and Security Risks (Low-Code/No-Code Applications) [Added]
T5508: Maintain a comprehensive inventory of applications (low-code/no-code) [Added]
- P3352: Unmanaged or Abandoned Applications (Low-Code/No-Code Applications) [Added]
T5509: Leverage platform built-in capabilities to collect user access and platform audit logs (low-code/no-code) [Added]
- P3353: Inadequate Logging and Audit Trails (Low-Code/No-Code Platforms) [Added]
T5510: Configure and enable SSL with secure cryptography algorithms [Added]
- P3354: Lack of Secure Data Transmission (Micronaut) [Added]
T5511: Configure management endpoints on a separate port [Added]
- P3355: Insecure Exposure of Management Endpoints (Micronaut) [Added]
T5512: Limit scope of URL access rules [Added]
- P3356: Excessive Resource Exposure via URL Access Rules (Micronaut) [Added]
T5513: Implement role-based access control in Micronaut [Added]
- P3357: Lack of Role-Based Access Control (Micronaut) [Added]
T5514: Verify that access keys are securely managed (AWS IAM) [Added]
- P3358: Insecure Access Key Management (AWS IAM) [Added]
- I1995: Verify that there is only one active access key for any single IAM user [Added]
T5515: Verify that HTTPS connections are enabled (AWS IAM) [Added]
- P3359: Lack of HTTPS Encryption (Applications Hosted on AWS) [Added]
- I2001: Verify that expired SSL/TLS certificates are removed from AWS IAM [Added]
T5516: Verify the IAM Access Analyzer for IAM policies (AWS IAM) [Added]
- P3360: Excessive Resource Exposure through IAM Policies (AWS IAM) [Added]
- I2002: Verify that IAM Access Analyzer is enabled for all regions [Added]
T5517: Verify user access management in multi-account environments (AWS IAM) [Added]
- P3361: Decentralized IAM User Management (AWS IAM) [Added]
- I2003: Verify that IAM users are managed centrally via identity federation or AWS Organizations [Added]
T5518: Verify that file transfer capabilities in CloudShell are secured (AWS CloudShell) [Added]
- P3362: Excessive Permissions in AWS CloudShell (AWS CloudShell) [Added]
- I2004: Verify that access to AWSCloudShellFullAccess is restricted [Added]
T5519: Verify the configuration of the Metadata Service on AWS EC2 instances (AWS EC2) [Added]
- P3363: Unauthorized Access to Instance Metadata (AWS EC2) [Added]
- I2043: Verify that the EC2 Metadata Service only allows IMDSv2 [Added]
T5520: Verify that CIFS access is restricted to trusted networks (AWS Storage Gateway) [Added]
- P3364: Unrestricted CIFS Access (AWS EC2) [Added]
- I2045: Verify that CIFS access is restricted to trusted networks [Added]
T5521: Manage access keys securely in AWS IAM (AWS IAM) [Added]
- P3358: Insecure Access Key Management (AWS IAM) [Added]
- I1932: Ensure there is only one active access key for any single IAM user [Added]
T5522: Enable HTTPS connections (AWS IAM) [Added]
- P3359: Lack of HTTPS Encryption (Applications Hosted on AWS) [Added]
- I1938: Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed [Added]
T5523: Enable IAM Access Analyzer for IAM policies (AWS IAM) [Added]
- P3360: Excessive Resource Exposure through IAM Policies (AWS IAM) [Added]
- I1939: Ensure that IAM Access Analyzer is enabled for all regions [Added]
T5524: Manage access to AWS CloudShell with IAM policies (AWS CloudShell) [Added]
- P3362: Excessive Permissions in AWS CloudShell (AWS CloudShell) [Added]
- I1941: Ensure access to AWSCloudShellFullAccess is restricted [Added]
T5525: Choose Instance Metadata Service Version 2 for AWS EC2 (AWS EC2) [Added]
- P3363: Unauthorized Access to Instance Metadata (AWS EC2) [Added]
- I1980: Ensure that the EC2 Metadata Service only allows IMDSv2 [Added]
T5526: Restrict CIFS access to trusted networks using AWS Security Groups (AWS EC2) [Added]
- P3364: Unrestricted CIFS Access (AWS EC2) [Added]
- I1982: Ensure CIFS access is restricted to trusted networks to prevent unauthorized access [Added]
T5527: Centralize IAM User Management (AWS IAM) [Added]
- P3361: Decentralized IAM User Management (AWS IAM) [Added]
- I1940: Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments [Added]
T5528: Verify secure communication settings in Azure App Service (Azure App Service) [Added]
- P3365: Lack of Enforced secure communication (Azure App Service) [Added]
T5529: Verify authentication and client certificate validation(Azure App Service) [Added]
- P3366: Lack of authentication and client certificate validation (Azure App Service) [Added]
T5530: Verify elimination of app secrets using Managed Service Identity (Azure App Service) [Added]
- P3367: Hardcoded Credentials in Application Code (Azure App Service) [Added]
T5531: Verify that web apps use supported versions (Azure App Service) [Added]
- P3368: Use of deprecated language versions in web applications (Azure App Service) [Added]
T5532: Verify secure storage of sensitive information in Azure Key Vault (Azure App Service) [Added]
- P3369: Insecure storage of sensitive information (Azure App Service) [Added]
T5533: Verify Network Security Group configuration for Azure Virtual Networks (Azure Container Instances) [Added]
- P3370: Improper Network Traffic Control (Azure Container Instances) [Added]
T5534: Verify Managed Identity usage for Container Instances (Azure Container Instances) [Added]
- P3371: Lack of Managed Identity for Container Instances (Azure Container Instances) [Added]
T5535: Verify encryption of data in transit with SSL(Azure CycleCloud) [Added]
- P3372: Unencrypted Data Transmission (Azure CycleCloud) [Added]
T5536: Verify secure remote access to Azure Virtual Machines(Azure Virtual Machines) [Added]
- P3373: Exposed Remote Access Protocol Ports (Azure Virtual Machines) [Added]
T5537: Verify migration of blob-based VHDs to Managed Disks on Virtual Machines (Azure Virtual Machines) [Added]
- P3374: Insecure Storage Configuration (Azure Virtual Machines) [Added]
T5538: Verify encryption of OS, data, and unattached disks with CMK (Azure Virtual Machines) [Added]
- P3375: Lack of Disk Encryption with Customer Managed Keys (Azure Virtual Machines) [Added]
T5539: Enforce secure communication (Azure App Service) [Added]
- P3365: Lack of Enforced secure communication (Azure App Service) [Added]
T5540: Enforce authentication and client certificate validation(Azure App Service) [Added]
- P3366: Lack of authentication and client certificate validation (Azure App Service) [Added]
T5541: Eliminate app secrets using Managed Service Identity (Azure App Service) [Added]
- P3367: Hardcoded Credentials in Application Code (Azure App Service) [Added]
T5542: Ensure web apps run on supported language versions (Azure App Service) [Added]
- P3368: Use of deprecated language versions in web applications (Azure App Service) [Added]
T5543: Store sensitive information securely in Azure Key Vault (Azure App Service) [Added]
- P3369: Insecure storage of sensitive information (Azure App Service) [Added]
T5544: Configure Network Security Groups for Azure Virtual Networks (Azure Container Instances) [Added]
- P3370: Improper Network Traffic Control (Azure Container Instances) [Added]
T5545: Use Managed Identity for Container Instances (Azure Container Instances) [Added]
- P3371: Lack of Managed Identity for Container Instances (Azure Container Instances) [Added]
T5546: Ensure data in transit is encrypted with SSL (Azure CycleCloud) [Added]
- P3372: Unencrypted Data Transmission (Azure CycleCloud) [Added]
T5547: Secure remote access to Azure Virtual Machines (Azure Virtual Machines) [Added]
- P3373: Exposed Remote Access Protocol Ports (Azure Virtual Machines) [Added]
T5548: Use Managed Disks for Virtual Machines and enforce secure VM configurations (Azure Virtual Machines) [Added]
- P3374: Insecure Storage Configuration (Azure Virtual Machines) [Added]
T5549: Encrypt OS, data, and unattached disks with Customer Managed Keys in VMs (Azure Virtual Machines) [Added]
- P3375: Lack of Disk Encryption with Customer Managed Keys (Azure Virtual Machines) [Added]
T5574: Ensure compliance of marketing and advertising (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5575: Evaluate compliance of processing instructions (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5576: Ensure customer compliance demonstration (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5577: Fulfill obligations to Personally Identifiable Information principals (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5578: Secure lifecycle mangement of Personally Identifiable Information (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5579: Notify customers of Personally Identifiable Information disclosure requests (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5580: Evaluate legally binding Personally Identifiable Information disclosure requests (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5581: Ensure transparency and compliance in subcontractor engagement for Personally Identifiable Information processing (ISO 27701) [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T5582: Strengthen access control and authentication for OCI users and resources (Oracle Cloud Infrastructure) [Added]
- P3376: Insecure Identity and Access Management (IAM) Practices (Oracle Cloud Infrastructure) [Added]
- I2052: Ensure MFA is enabled for all users with a console password [Added]
- I2056: Ensure user IAM Database Passwords rotate within 90 days [Added]
- I2058: Ensure all OCI IAM user accounts have a valid and current email address [Added]
- I2059: Ensure Instance Principal authentication is used for OCI instances, OCI Cloud Databases and OCI Functions to access OCI resources. [Added]
T5583: Enforce robust IAM password policies (Oracle Cloud Infrastructure) [Added]
- P3377: Weak password policies (Oracle Cloud Infrastructure) [Added]
- I2049: Ensure IAM password policy requires minimum length of 14 or greater [Added]
- I2050: Ensure IAM password policy expires passwords within 365 days [Added]
- I2051: Ensure IAM password policy prevents password reuse [Added]
T5584: Enhance API and Authentication Key Management (Oracle Cloud Infrastructure) [Added]
- P3378: Excessive or uncontrolled privileges (Oracle Cloud Infrastructure) [Added]
- I2053: Ensure user API keys rotate within 90 days [Added]
- I2054: Ensure user customer secret keys rotate every 90 days [Added]
- I2055: Ensure user auth tokens rotate within 90 days or less [Added]
- I2057: Ensure API keys are not created for tenancy administrator users [Added]
T5585: Restrict and manage administrative access to services and resources (Oracle Cloud Infrastructure) [Added]
- P3379: Excessive privileges in cloud resource management (Oracle Cloud Infrastructure) [Added]
- I2046: Ensure service level admins are created to manage resources of particular service [Added]
- I2047: Ensure permissions on all resources are given only to the tenancy administrator group [Added]
- I2048: Ensure IAM administrators cannot update tenancy Administrators group [Added]
- I2060: Ensure storage service-level admins cannot delete resources they manage. [Added]
T5586: Restrict ingress access to SSH and RDP ports in security lists and network security groups (Oracle Cloud Infrastructure) [Added]
- P3380: Unrestricted ingress access to critical ports (Oracle Cloud Infrastructure) [Added]
- I2061: Ensure no security lists allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2062: Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2063: Ensure no network security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2064: Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2065: Ensure the default security list of every VCN restricts all traffic except ICMP [Added]
T5587: Restrict network access to Oracle Cloud services using ingress filtering and Virtual Cloud Networks (Oracle Cloud Infrastructure) [Added]
- P3381: Unrestricted Network Access to Oracle Cloud Services (Oracle Cloud Infrastructure) [Added]
- I2066: Ensure Oracle Integration Cloud (OIC) access is restricted to allowed sources. [Added]
- I2067: Ensure Oracle Analytics Cloud (OAC) access is restricted to allowed sources or deployed within a Virtual Cloud Network. [Added]
- I2068: Ensure Oracle Autonomous Shared Databases (ADB) access is restricted to allowed sources or deployed within a Virtual Cloud Network [Added]
T5588: Enhance Compute Instance security by adopting IMDSv2 and enabling Secure Boot on Shielded Instances (Oracle Compute Instance) [Added]
- P3382: Use of legacy MetaData Service Endpoints (Oracle Compute Instance) [Added]
- I2069: Ensure Compute Instance Legacy Metadata service endpoint is disabled [Added]
- I2070: Ensure Secure Boot is enabled on Compute Instance [Added]
T5589: Enable in-transit encryption for Oracle Cloud services (Oracle Compute Instance) [Added]
- P3383: Unencrypted data transmission Between Virtual Machines and Block Volumes (Oracle Compute Instance) [Added]
- I2071: Ensure In-transit Encryption is enabled on Compute Instance [Added]
T5590: Enhance visibility and resource governance using default tags, Event Rules, and Notifications (Oracle Cloud Infrastructure) [Added]
- P3384: Lack of governance and visibility over cloud resource changes (Oracle Cloud Infrastructure) [Added]
- I2072: Ensure default tags are used on resources [Added]
- I2073: Create at least one notification topic and subscription to receive monitoring alerts [Added]
- I2074: Ensure a notification is configured for Identity Provider changes [Added]
- I2075: Ensure a notification is configured for IdP group mapping changes [Added]
- I2076: Ensure a notification is configured for IAM group changes [Added]
- I2077: Ensure a notification is configured for IAM policy changes [Added]
- I2078: Ensure a notification is configured for user changes [Added]
- I2079: Ensure a notification is configured for VCN changes [Added]
- I2080: Ensure a notification is configured for changes to route tables [Added]
- I2081: Ensure a notification is configured for security list changes [Added]
- I2082: Ensure a notification is configured for network security group changes [Added]
- I2083: Ensure a notification is configured for changes to network gateways [Added]
- I2086: Ensure a notification is configured for Oracle Cloud Guard problems detected [Added]
T5591: Enhance visibility into network traffic with VCN flow logs (Oracle Cloud Infrastructure) [Added]
- P3385: Lack of network traffic visibility (Oracle Cloud Infrastructure) [Added]
- I2084: Ensure VCN flow logging is enabled for all subnets [Added]
T5592: Enable Cloud Guard for security monitoring (Oracle Cloud Infrastructure) [Added]
- P3386: Misconfigured resources and insecure Activities (Oracle Cloud Infrastructure) [Added]
- I2085: Ensure Cloud Guard is enabled in the root compartment of the tenancy [Added]
T5593: Rotate encryption keys using Oracle Cloud Infrastructure Vault (Oracle Cloud Infrastructure) [Added]
- P3387: Inadequate key management practices (Oracle Cloud Infrastructure) [Added]
- I2087: Ensure customer created Customer Managed Key (CMK) is rotated at least annually [Added]
T5594: Enable and enforce Object Storage write-level logging for all buckets (Oracle Cloud Infrastructure) [Added]
- P3388: Lack of visibility into Object Storage modifications and access (Oracle Cloud Infrastructure) [Added]
- I2088: Ensure write level Object Storage logging is enabled for all buckets [Added]
T5595: Enhance Object Storage security by enabling Customer Managed Key (CMK) encryption and versioning (Oracle Object Storage) [Added]
- P3389: Inadequate encryption control and lack of data recoverability (Oracle Object Storage) [Added]
- I2090: Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK). [Added]
- I2091: Ensure Versioning is Enabled for Object Storage Buckets [Added]
T5596: Enforce Customer Managed Key (CMK) encryption for block and boot volumes (Oracle Block Volume) [Added]
- P3390: Insufficient control over encryption keys for Block and Boot Volumes (Block Volume) [Added]
- I2092: Ensure Block Volumes are encrypted with Customer Managed Keys (CMK). [Added]
- I2093: Ensure boot volumes are encrypted with Customer Managed Key (CMK). [Added]
T5597: Enforce Customer Managed Key (CMK) encryption for File Storage Systems (FSS) (Oracle File Storage) [Added]
- P3391: Lack of customer-controlled encryption for File Storage Systems (Oracle File Storage) [Added]
- I2094: Ensure File Storage Systems are encrypted with Customer Managed Keys (CMK) [Added]
T5598: Enforce compartmentalization by creating and using compartments for cloud resources (Oracle Cloud Infrastructure) [Added]
- P3392: Lack of compartmentalization in Oracle Cloud Infrastructure (Oracle Cloud Infrastructure) [Added]
- I2095: Create at least one compartment in your tenancy to store cloud resources [Added]
- I2096: Ensure no resources are created in the root compartment [Added]
T5599: Restrict public access to Object Storage buckets (Oracle Object Storage) [Added]
- P3393: Publicly accessible object Storage Buckets (Oracle Object Storage) [Added]
- I2089: Ensure no Object Storage buckets are publicly visible. [Added]
T5600: Verify Access and Authentication settings for OCI Security (Oracle Cloud Infrastructure) [Added]
- P3376: Insecure Identity and Access Management (IAM) Practices (Oracle Cloud Infrastructure) [Added]
- I2103: Verify that MFA is enabled for all users with a console password [Added]
- I2107: Verify that user IAM Database Passwords rotate within 90 days [Added]
- I2109: Verify that all OCI IAM user accounts have a valid and current email address [Added]
- I2110: Verify that Instance Principal authentication is used for OCI resources [Added]
T5601: Verify that the password policies enforce complexity requirements (Oracle Cloud Infrastructure) [Added]
- P3377: Weak password policies (Oracle Cloud Infrastructure) [Added]
- I2100: Verify that IAM password policy requires minimum length of 14 or greater [Added]
- I2101: Test that IAM password policy expires passwords within 365 days [Added]
- I2102: Verify that IAM password policy prevents password reuse [Added]
T5602: Validate Access Controls and Key Management for accessing OCI APIs (Oracle Cloud Infrastructure) [Added]
- P3378: Excessive or uncontrolled privileges (Oracle Cloud Infrastructure) [Added]
- I2104: Verify that user API keys rotate within 90 days [Added]
- I2105: Verify that user customer secret keys rotate every 90 days [Added]
- I2106: Verify that user auth tokens rotate within 90 days or less [Added]
- I2108: Verify that API keys are not created for tenancy administrator users [Added]
T5603: Verify Least Privilege Enforcement for Service and Tenancy Administrators (Oracle Cloud Infrastructure) [Added]
- P3379: Excessive privileges in cloud resource management (Oracle Cloud Infrastructure) [Added]
- I2097: Test that service level admins are created to manage resources of particular service [Added]
- I2098: Verify that permissions on all resources are given only to the tenancy administrator group [Added]
- I2099: Verify that IAM administrators cannot update tenancy Administrators group [Added]
- I2111: Verify that storage service-level admins cannot delete resources they manage [Added]
T5604: Verify ingress access to SSH and RDP ports are restricted in security lists and network security groups (Oracle Cloud Infrastructure) [Added]
- P3380: Unrestricted ingress access to critical ports (Oracle Cloud Infrastructure) [Added]
- I2112: Verify that no security lists allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2113: Verify that security lists do not allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2114: Verify that no network security groups allow ingress from 0.0.0.0/0 to port 22 [Added]
- I2115: Verify that no network security groups allow ingress from 0.0.0.0/0 to port 3389 [Added]
- I2116: Verify that the default security list of every VCN restricts all traffic except ICMP [Added]
T5605: Verify network access restrictions using ingress filtering and Virtual Cloud Networks (Oracle Cloud Infrastructure) [Added]
- P3381: Unrestricted Network Access to Oracle Cloud Services (Oracle Cloud Infrastructure) [Added]
- I2117: Test that Oracle Integration Cloud access is restricted to allowed sources [Added]
- I2118: Verify that Oracle Analytics Cloud access is restricted to allowed sources [Added]
- I2119: Verify that Oracle Autonomous Shared Databases access is restricted [Added]
T5606: Verify Compute Instance security by adopting IMDSv2 and enabling Secure Boot on Shielded Instances (Oracle Compute Instance) [Added]
- P3382: Use of legacy MetaData Service Endpoints (Oracle Compute Instance) [Added]
- I2120: Verify that the Compute Instance Legacy Metadata service endpoint is disabled [Added]
- I2121: Verify that Secure Boot is enabled on Oracle Cloud services [Added]
T5607: Verify the in-transit encryption for Block Volume service is enabled (Oracle Compute Instance) [Added]
- P3383: Unencrypted data transmission Between Virtual Machines and Block Volumes (Oracle Compute Instance) [Added]
- I2122: Verify that In-transit Encryption is enabled on Oracle Cloud services [Added]
T5608: Verify enforcement of default tags, Event Rules, and Notifications in Oracle Cloud Infrastructure (Oracle Cloud Infrastructure) [Added]
- P3384: Lack of governance and visibility over cloud resource changes (Oracle Cloud Infrastructure) [Added]
- I2123: Verify that default tags are used on resources [Added]
- I2124: Test that at least one notification topic and subscription is created for monitoring alerts [Added]
- I2125: Test that a notification is configured for Identity Provider changes [Added]
- I2126: Verify that a notification is configured for IdP group mapping changes [Added]
- I2127: Test that a notification is configured for IAM group changes [Added]
- I2128: Test that a notification is configured for IAM policy changes [Added]
- I2129: Test that a notification is configured for user changes [Added]
- I2130: Test that a notification is configured for VCN changes [Added]
- I2131: Test that a notification is configured for changes to route tables [Added]
- I2132: Test that a notification is configured for security list changes [Added]
- I2133: Test that a notification is configured for network security group changes [Added]
- I2134: Verify that a notification is configured for changes to network gateways [Added]
- I2137: Test that a notification is configured for Oracle Cloud Guard problems detected [Added]
T5609: Verify the VCN flow logging is enabled(Oracle Cloud Infrastructure) [Added]
- P3385: Lack of network traffic visibility (Oracle Cloud Infrastructure) [Added]
- I2135: Test that VCN flow logging is enabled for all subnets [Added]
T5610: Verify that Cloud Guard is enabled (Oracle Cloud Infrastructure) [Added]
- P3386: Misconfigured resources and insecure Activities (Oracle Cloud Infrastructure) [Added]
- I2136: Verify that Cloud Guard is enabled in the root compartment of the tenancy [Added]
T5611: Verify the security of encryption keys in use (Oracle Cloud Infrastructure) [Added]
- P3387: Inadequate key management practices (Oracle Cloud Infrastructure) [Added]
- I2138: Verify that the Customer Managed Key is rotated at least annually [Added]
T5612: Verify write-level logging is enabled and enforced for all Object Storage buckets (Oracle Cloud Infrastructure) [Added]
- P3388: Lack of visibility into Object Storage modifications and access (Oracle Cloud Infrastructure) [Added]
- I2139: Verify that write level Object Storage logging is enabled for all buckets [Added]
T5613: Verify CMK encryption and versioning are enabled for Object Storage buckets (Oracle Object Storage) [Added]
- P3389: Inadequate encryption control and lack of data recoverability (Oracle Object Storage) [Added]
- I2141: Verify that Object Storage Buckets are encrypted with a Customer Managed Key (CMK) [Added]
- I2142: Verify that Versioning is Enabled for Oracle Cloud Object Storage Buckets [Added]
T5614: Verify CMK encryption is enforced for block and boot volumes (Oracle Block Volume) [Added]
- P3390: Insufficient control over encryption keys for Block and Boot Volumes (Block Volume) [Added]
- I2143: Verify that Block Volumes are encrypted with Customer Managed Keys (CMK) [Added]
- I2144: Verify that boot volumes are encrypted with Customer Managed Key (CMK) [Added]
T5615: Verify CMK encryption is enforced for File Storage Systems (FSS) (Oracle File Storage) [Added]
- P3391: Lack of customer-controlled encryption for File Storage Systems (Oracle File Storage) [Added]
- I2145: Verify that File Storage Systems are encrypted with Customer Managed Keys (CMK) [Added]
T5616: Verify compartments are used for all cloud resources and the root compartment remains empty (Oracle Cloud Infrastructure) [Added]
- P3392: Lack of compartmentalization in Oracle Cloud Infrastructure (Oracle Cloud Infrastructure) [Added]
- I2146: Test that at least one compartment is created in your tenancy to store cloud resources [Added]
- I2147: Verify that no resources are created in the root compartment [Added]
T5617: Verify Object Storage buckets are not publicly accessible (Oracle Object Storage) [Added]
- P3393: Publicly accessible object Storage Buckets (Oracle Object Storage) [Added]
- I2140: Verify that no Object Storage buckets are publicly visible [Added]
T5618: Align product scope with the RED (EU RED) [Added]
- P3394: Misinterpretation of Compliance Scope (EU RED) [Added]
T5619: Identify and address essential requirements (EU RED) [Added]
- P3395: Inadequate Risk Assessment for Radio Equipment (EU RED) [Added]
T5620: Implement procedures for managing changes (EU RED) [Added]
- P3396: Lack of Formal Change Management Process (EU RED) [Added]
T5621: Perform a comprehensive risk assessment (EU RED) [Added]
- P3395: Inadequate Risk Assessment for Radio Equipment (EU RED) [Added]
T5622: Choose the appropriate conformity assessment procedure (EU RED) [Added]
- P3401: Inadequate Conformity Assessment (EU RED) [Added]
T5623: Compile the complete technical documentation for conformity assessment (EU RED) [Added]
- P3397: Lack of Comprehensive Documentation (EU RED) [Added]
T5624: Address software security and integrity (EU RED) [Added]
- P3398: Unauthorized Software Loading and Modification (EU RED) [Added]
T5625: Establish a compliant manufacturing process (EU RED) [Added]
- P3399: Non-compliance with Approved Design Specifications (EU RED) [Added]
T5626: Implement a process for ongoing monitoring or vigilance (EU RED) [Added]
- P3400: Lack of System for Monitoring Radio Equipment (EU RED) [Added]
T5627: Provide instructions for safe use (EU RED) [Added]
- P3402: Insufficient User Guidance in Radio Equipment Software (EU RED) [Added]
T5628: Mandate USB-C as the common charger for specified devices (EU RED) [Added]
- P3403: Improper USB-C Compliance Handling (EU RED) [Added]
T5629: Provide device identification and enforce traceability (EU RED) [Added]
- P3404: Insufficient Device Identification and Traceability (EU RED) [Added]
T5630: Prepare the EU Declaration of Conformity (DoC) (EU RED) [Added]
- P3405: Inappropriate Handling of EU Declaration of Conformity (EU RED) [Added]
T5631: Operate an approved quality system (EU RED) [Added]
- P3406: Insufficient Quality System Conformity Management (EU RED) [Added]
T5632: Use Short-Lived Access Tokens (iOS) [Added]
- P3407: Insecure token lifecycle management (iOS) [Added]
T5633: Implement best practices for Biometric authentication (iOS) [Added]
- P3408: Improper implementation of biometric authentication (iOS) [Added]
T5634: Securely integrate iCloud storage into iOS applications (iOS) [Added]
- P3409: Insecure iCloud storage handling (iOS) [Added]
T5635: Follow best practices for handling CloudKit Storage (iOS) [Added]
- P3410: Improper CloudKit data handling and access control (iOS) [Added]
T5636: Implement secure and privacy-compliant handling of app permissions (iOS) [Added]
- P3411: Insecure permission handling and data access (iOS) [Added]
T5637: Implement best practices for handling location data (iOS) [Added]
- P3412: Improper handling of location data (iOS) [Added]
T5638: Verify implementation of secure short-lived token handling in an iOS app (iOS) [Added]
- P3407: Insecure token lifecycle management (iOS) [Added]
T5639: Verify secure and user-friendly implementation of biometric authentication (iOS) [Added]
- P3408: Improper implementation of biometric authentication (iOS) [Added]
T5640: Verify secure handling of iCloud Storage (iOS) [Added]
- P3409: Insecure iCloud storage handling (iOS) [Added]
T5641: Verify secure implementation of CloudKit storage in the iOS application (iOS) [Added]
- P3410: Improper CloudKit data handling and access control (iOS) [Added]
T5642: Verify secure and privacy-compliant handling of app permissions (iOS) [Added]
- P3411: Insecure permission handling and data access (iOS) [Added]
T5643: Verify secure handling of location data (iOS) [Added]
- P3412: Improper handling of location data (iOS) [Added]
T5644: Implement secure key rotation mechanism in the Android application (Android) [Added]
- P3413: Improper cryptographic key management (Android) [Added]
T5645: Implement secure Binder communication (Android) [Added]
- P3414: Improper inter-process communication handling (Android) [Added]
T5646: Implement secure services (Android) [Added]
- P3415: Improper service declaration and access control (Android) [Added]
T5647: Verify secure key management and rotation using Android Keystore (Android) [Added]
- P3413: Improper cryptographic key management (Android) [Added]
T5648: Verify secure implementation of inter-process communication (IPC) using Binder and AIDL (Android) [Added]
- P3414: Improper inter-process communication handling (Android) [Added]
T5649: Verify secure implementation services (Android) [Added]
- P3415: Improper service declaration and access control (Android) [Added]
Changes to Project Properties and Profiles
- Q193: Components
  - Q101: Components In Development
    - A6: Web service [Updated]
      - INFO: Updated the description.
- Q195: Language and Framework
  - Q109: Programming Language
    - Q110: Technology/Framework
      - A1136: React [Updated]
        
        INFO: Updated the match conditions.
      - A2109: Micronaut [Added]
    - A2108: Low-code/No-code [Added]
- Q199: Authentication
  - Q129: Requires Server-to-Server Authentication
    - A17: Yes [Updated]
      - INFO: Updated the description.
- Q206: Privacy
  - Q160: Handles Personal Data
    - Q481: Privacy Standards [Added]
      - A2120: ISO 27701 [Added]
    - Q224: Privacy Regulations
      - A2131: India DPDPA [Added]
- Q237: Compliance Scope: Other
  - Q473: In-Scope for EU Data Act [Added]
    - A2028: Yes [Added]
  - Q485: In scope for EU RED [Added]
    - A2127: Yes [Added]
- Q258: Architecture/Environment
  - Q322: Architecture
    - Q459: Blockchain Architecture [Added]
      - A2014: Smart Contract [Added]
    - A1142: Contains components that communicate through a network [Updated]
      - INFO: Updated the text and description.
    - A2013: Blockchain [Added]
- Q284: Context and Characteristics
  - Q460: Accessibility Requirements [Added]
    - A2016: This application has accessibility requirements [Added]
- Q289: Cloud Computing
  - Q343: Generic Cloud Content [Updated]
    - INFO: Updated the text.
    - A1332: Include generic, story-driven cloud countermeasures [Updated]
      - INFO: Updated the text and description.
  - Q290: Cloud Providers
    - A1159: Non-Story-Driven Amazon Web Services (AWS) Content [Updated]
      - INFO: Updated the text and description.
    - A1190: Microsoft Azure [Updated]
      - INFO: Updated the description.
    - A1212: Non-Story-Driven Google Cloud Content [Updated]
      - INFO: Updated the text and description.
    - A1333: Story-Driven Amazon Web Services (AWS) Content [Updated]
      - INFO: Updated the text and description.
    - A1336: Story-Driven Google Cloud Content [Updated]
      - INFO: Updated the text and description.
    - A2121: Oracle [Added]
- Q307: Containerization
  - Q308: Containerization Technologies
    - A2015: Containerd [Added]
- Q361: Amazon Web Services (AWS)
  - Q298: AWS Services
    - Q379: More AWS Services
      - A1513: AWS Glue [Updated]
        
        INFO: Updated the question.
      - A1628: AWS FSx for Windows File Server [Updated]
        
        INFO: Updated the question.
    - A2111: AWS CloudShell [Added]
  - Q366: AWS Cloud Configuration
    - A1392: AWS Cloud Configuration [Updated]
      - INFO: Updated the description.
- Q362: Microsoft Azure
  - Q306: Azure Services
    - Q370: More Azure Services
      - A1474: Azure Key Vault Managed HSM [Updated]
        
        INFO: Updated the question.
    - A2112: Azure CycleCloud [Added]
  - Q365: Azure Cloud Configuration
    - A1391: Azure Cloud Configuration [Updated]
      - INFO: Updated the description.
- Q363: Google Cloud Platform (GCP)
  - Q367: GCP Cloud Configuration
    - A1393: GCP Cloud Configuration [Updated]
      - INFO: Updated the description.
- Q461: AI and Machine Learning [Added]
  - Q357: Artificial Intelligence/Machine Learning [Updated]
    - INFO: Updated the parent.
    - Q455: US State-Specific AI Regulation [Added]
      - A2004: Utah AIPA [Added]
      - A2005: Colorado CPAI [Added]
    - Q376: AI/ML Usecases [Updated]
      - INFO: Updated the parent and required.
    - Q457: AI Content Organization [Updated]
      - INFO: Updated the parent.
  - Q368: Type of AI system [Updated]
    - INFO: Updated the parent.
  - Q458: AI/ML Frameworks [Updated]
    - INFO: Updated the parent.
- Q482: Oracle [Added]
  - Q483: Oracle Cloud Configuration [Added]
    - A2122: Oracle Cloud Configuration [Added]
  - Q484: Oracle Services [Added]
    - A2123: Compute Instance [Added]
    - A2124: Object Storage [Added]
    - A2125: Block Volume [Added]
    - A2126: File Storage [Added]
Added Components
- SC776: Blockchain
- SC777: Smart Contract
- SC778: Containerd
- SC779: Oracle Services
- SC780: Oracle Environment
- SC781: Oracle Compute instance
- SC782: Oracle Object Storage
- SC783: Oracle Block Volume
- SC784: Oracle File Storage
Updated Components
- SC189: AWS CloudShell
  - INFO: Updated the description.
- SC375: Azure CycleCloud
  - INFO: Updated the description.

2024.4

January 11, 2025

New features and enhancements

Deactivate a Library Weakness
- Added the ability to deactivate a Library Weakness via UI, API, Import/Export, and through content packs.
New Library Countermeasures UI/UX
- Introduced a redesigned interface for searching, creating, and modifying Library Countermeasures.
- Added the ability to filter the Library Countermeasures page by regulations.
- Added the ability to save a copy of an existing Library Countermeasure.
All Countermeasures Project Report
- Added the ability to filter reports by Risk Policy-based Countermeasures
Diagram improvements
- Added the ability to enable gridlines on the diagram canvas
- Added the ability to expand the diagram canvas to use the full screen available
- Native image import will now list connections that are not connected, providing the ability to either import or cancel the import.
Scan a Repository, On-Site Scanning Script
- Added the ability to download the repository scanning script used in the UI to run in their own environments. The script is located under the Customer Portal which requires an account to access.
- Once the script is run, scanning results can be uploaded via the API and UI.
Integrations
- Threadfix
  - Coalfire has announced that ThreadFix will be sunset on December 31, 2024. While we will no longer provide full support for the tool after this date, the integration will remain available for customers with extended support until December 31, 2025. Please plan accordingly and contact Coalfire's support team for assistance with transitions or extended support options.

Updates

February 1, 2025

Added attributes to the Library Import/Export tool
Trailing semi-colons are no longer present in the export of Library data under match conditions
Unpublished Library Content no longer pulls through on Library Context for Advanced Reports
Modified Countermeasures no longer preserve a built-in type
New one-click template for Global Reports in Advanced Reports
- The Global Reports page will be deprecated on July 5, 2025. You can generate the same global reports using the Advanced Reports feature.

February 15, 2025

New one-click template for Training Reports in Advanced Reports
- The Training Report context will now display users who have not enrolled into courses or modules.
- The Training Reports page will be deprecated on July 5, 2025. You can generate the same training reports using the Advanced Reports feature.

March 15, 2025

The following integrations are planned to be End Of Support by July 5, 2025 (2025.2) and will no longer be available:
- Issue Trackers: Archer, VersionOne, IBM RTC, Pivotal Tracker
- Verification: HP WebInspect, Mend

Content improvements summary

MITRE ATT&CK
- Added two compliance regulations for Enterprise and ICS domains, 10 Countermeasures and associated Weaknesses.
EU NIS2
- Added a new compliance regulation, 11 weaknesses, 22 countermeasures and 31 amendments.
EU Digital Operational Resilience Act
- Added a new compliance regulation, 4 weaknesses, 4 countermeasures and 15 amendments
China’s PIPL
- Added a new privacy law, 4 countermeasures and 48 amendments.
US State-Specific Privacy Legislation
- Added 7 new privacy laws (Virginia CDPA, Colorado PA, Connecticut PDPOM, Utah CPA, Oregon PL, Texas DPSA, Montana CDPA) and 31 amendments.
US State-Specific AI Regulation
- Added 2 new AI regulations (Utah AIPA, Colorado CPAI).

Content additions and updates (as of December 5, 2024):

Compliance Regulations and Mappings
- Added OWASP Mobile Top 10 (2024)
- Added MITRE ATT&CK (Enterprise)
- Added MITRE ATT&CK (ICS)
- Added EU Digital Operational Resilience Act
- Added Personal Information Protection Law of the People's Republic of China
- Added Virginia Consumer Data Protection Act
- Added Colorado Privacy Act
- Added Connecticut Personal Data Privacy And Online Monitoring
- Added Utah Consumer Privacy Act
- Added Oregon Privacy Legislation
- Added Texas Data Privacy and Security Act
- Added Montana Consumer Data Privacy Act
- Added Utah Artificial Intelligence Policy Act
- Added Colorado Consumer Protections for Artificial Intelligence
- Added EU NIS2
- Updated OWASP Mobile Top 10 (2016) [Retired] [INFO: Updated the description].
Content Packs
- Added Singularity
- Added Snowflake
- Added EU Digital Operational Resilience Act
- Added China PIPL
- Added US Privacy Regulation
- Added US AI Regulation
- Added EU NIS2
T1: Use multi-factor authentication for remote access to high risk systems or administrative access to services
- TA7084: Implement Multi-Factor Authentication (EU NIS2) [Added]
T176: Apply principles of privacy when handling personal information
- TA6989: Operationalize transparency in data processing [Added]
- TA6991: Strengthen security risk mitigation in data processing [Added]
- TA6992: Prevent and address unlawful data processing [Added]
- TA6996: Ensure compliance with data retention limits [Added]
- TA7001: Enhance oversight in automated decision-making [Added]
- TA7002: Strengthen consent management for disclosure of personal information [Added]
- TA7010: Ensure security in cross-border data handling [Added]
- TA7012: Ensure user control over personal information processing [Added]
- TA7015: Strengthen processes for data erasure and retention exceptions [Added]
- TA7017: Establish mechanisms for managing rights requests [Added]
- TA7018: Standardize security measures for personal data processing [Added]
- TA7019: Establish accountability in personal information oversight [Added]
- TA7020: Conduct regular audits for compliance in data processing [Added]
- TA7021: Conduct comprehensive risk assessments for high-impact data processing [Added]
- TA7022: Assess security risks for personal data processing comprehensively [Added]
- TA7024: Assist in fulfilling obligations for entrusted personal data processing [Added]
- TA7031: Apply measures for consumer data rights compliance [Added]
- TA7032: Apply measures for aligning processing with consumer expectations [Added]
- TA7033: Perform privacy risk assessments for targeted activities [Added]
- TA7036: Limit data collection and ensure secure, consent-based processing [Added]
- TA7037: Ensure processors support controllers in fulfilling obligations [Added]
- TA7038: Conduct data protection assessments for high-risk processing [Added]
- TA7040: Facilitate consumer rights requests through designated channels [Added]
- TA7046: Conduct and document data protection assessments for high-risk processing [Added]
- TA7056: Conduct and retain assessments for high-risk processing activities [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T177: Allow users to review and update their personal information
- TA7013: Facilitate access and transfer of personal information [Added]
- TA7014: Facilitate rectification of personal information [Added]
T178: Obtain consent from users prior to collecting personal information
- TA6978: Ensure service continuity for users withdrawing consent [Added]
- TA6979: Clarification and updates on data processing information [Added]
- TA6980: Emergency situations and regulatory compliance [Added]
- TA6993: Enhance consent management for specific processing scenarios [Added]
- TA7000: Enhance transparency in data sharing agreements [Added]
- TA7003: Ensure safeguards for processing publicly disclosed information [Added]
- TA7004: Implement safeguards for sensitive personal information processing [Added]
- TA7009: Enhance transparency in cross-border data transfers [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T179: Allow access for users to remove their personal information from the system
- TA7026: Define consumer rights and controller obligations [Added]
T195: Design lawful procedures to obtain consent for processing personal information and to withdraw it when requested
- TA6981: Joint processing of personal information [Added]
- TA6994: Procedures for renewing consent with purpose changes [Added]
- TA6999: Ensure accountability in data transfers [Added]
- TA7005: Implement procedures for processing sensitive information [Added]
- TA7006: Clarify impacts of processing sensitive personal information [Added]
- TA7008: Establish safeguards for cross-border data transfers [Added]
- TA7011: Restrict data sharing with non-compliant overseas entities [Added]
- TA7043: Facilitate consumer rights requests through specified channels [Added]
- TA7048: Provide secure and accessible methods for consumer requests [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T207: Provide special data protection for children's personal information
- TA7007: Establish protocols for processing children's personal information [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T313: Identify and classify categories of personal information
- TA7025: Exclude specific activities from personal information processing laws [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T338: Control access to resources through user authentication and authorization
- TA7041: Ensure timely and secure responses to consumer requests [Added]
- TA7078: Implement and Maintain Access Control Policies (EU NIS2) [Added]
- TA7081: Implement and Maintain Privileged Access Policies (EU NIS2) [Added]
- TA7083: Implement Strong Authentication Procedures (EU NIS2) [Added]
T378: Authorize every request for data objects
- TA7042: Provide consumers with control over their data [Added]
T544: Anonymize (de-identify) identifying information before using it for a secondary purpose
- TA7030: Verify de-identified and pseudonymous data handling requirements [Added]
- TA7055: Prevent reidentification and ensure compliance for deidentified data [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T604: Implement a consent withdrawal mechanism
- TA6995: Streamline consent withdrawal processes [Added]
- TA7050: Provide conspicuous opt-out mechanisms for data usage [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T607: Develop automated tools/settings for destroying personal information when it is no longer needed
- TA7028: Define controller-processor relationship and compliance obligations [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T740: Provide personal information and its processing information to users in an appropriate format
- TA7047: Enable secure mechanisms for exercising consumer data rights [Added]
T742: Implement technical measures to ensure the accuracy of personal information
- TA6990: Ensuring data accuracy through verification mechanisms [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T750: Limit personal information collection and processing to the specified purpose
- TA6987: Ensuring transparency and accountability in personal data processing [Added]
- TA6988: Minimize data processing [Added]
- TA6997: Strengthen agreements and oversight in data processing relationships [Added]
- TA7044: Ensure compliance with data collection and consent requirements [Added]
- TA7053: Ensure transparent and secure processing of personal data [Added]
T751: Provide users with a notification of personal information processing
- TA6985: Exceptions to notification obligations [Added]
- TA7027: Define privacy notice and consumer rights request requirements [Added]
- TA7035: Ensure consumers can exercise their data rights effectively [Added]
- TA7039: Enable consumers to exercise data rights effectively [Added]
- TA7045: Deliver transparent and accessible privacy notices [Added]
- TA7049: Maintain clear and accessible privacy notices [Added]
- TA7052: Ensure consumers can exercise rights over their personal data [Added]
T754: Enable the restriction of processing personal information of an individual for a specific purpose
- TA7016: Clarify personal information processing rules [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T755: Maintain a Data Processing Register or Record of Business Processing Activities
- TA7054: Document and enforce processor obligations for data protection [Added]
T1367: Identify and classify critical assets
- TA6964: DORA: Article 8 [Added]
- TA6971: DORA: Article 18 [Added]
- TA7085: Implement Asset Classification and Protection Levels (EU NIS2) [Added]
- TA7086: Maintain a Comprehensive Asset Inventory (EU NIS2) [Added]
T1372: Follow software change management process
- TA7072: Implement Change Management Procedures for Network and Information Systems (EU NIS2) [Added]
T1374: Ensure the integrity of software release and update delivery
- TA7074: Implementing a Robust Security Patch Management System (EU NIS2) [Added]
T1377: Establish and maintain a bi-directional communication channel for receiving security reports and sending security notifications
- TA6968: DORA: Article 14 [Added]
- TA6977: DORA: Article 45 [Added]
- TA7063: Implement a Robust Event Reporting Mechanism (EU NIS2) [Added]
- TA7067: Implement a Process for Managing Information from CSIRTs (EU NIS2) [Added]
T1380: Enforce secure user registration and access control
- TA7079: Implement Logical and Physical Access Control Policies (EU NIS2) [Added]
- TA7080: Implement Access Control Management Based on Need-to-Know and Least Privilege Principles (EU NIS2) [Added]
- TA7082: Manage the Full Life Cycle of Identities (EU NIS2) [Added]
T1384: Back up and restore securely
- TA6966: DORA: Article 12 [Added]
- TA7065: Implement Redundancy in Backup Systems (EU NIS2) [Added]
- TA7066: Implement Regular Integrity Checks on Backup Copies (EU NIS2) [Added]
T1385: Institute secure logging and event monitoring
- TA7062: Implement Monitoring and Logging Procedures (EU NIS2) [Added]
T1387: Ensure the security of products acquired through the supply chain and contractors
- TA7068: Establish and Implement a Supply Chain Security Policy (EU NIS2) [Added]
- TA7069: Maintain and Update a Registry of Direct Suppliers and Service Providers (EU NIS2) [Added]
T1388: Triage and fix vulnerabilities discovered during automated and manual security tests
- TA7075: Implement a Comprehensive Vulnerability Management Program (EU NIS2) [Added]
T1389: Perform penetration testing
- TA6973: DORA: Article 24 [Added]
- TA6974: DORA: Article 26 [Added]
- TA6975: DORA: Article 27 [Added]
T1892: Perform a Threat and Risk Assessment (TRA)
- TA7029: Ensure data protection assessment requirements and guidelines [Added]
- TA7060: Establish a Cybersecurity Risk Management Process (EU NIS2) [Added]
T1894: Perform a vendor security assessment
- TA6976: DORA: Article 28 [Added]
- TA7070: Implement Secure Acquisition Processes for ICT Services and Products (EU NIS2) [Added]
T2128: Notify users and regulators of breaches of personal information
- TA6972: DORA: Article 19 [Added]
- TA7023: Notify stakeholders promptly after personal information breaches [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T2170: Ensure that personal information processed by the application meets data localization requirements
- TA6984: Compliance with administrative restrictions on sensitive data transfers [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T2343: Define security-related roles and provide role-base training
- TA7059: Assign and Communicate Security Roles and Responsibilities (EU NIS2) [Added]
- TA7076: Implement Cybersecurity Awareness Programs (EU NIS2) [Added]
- TA7077: Establish and implement a security-focused training program (EU NIS2) [Added]
T2392: Create an Incident Response Plan
- TA6965: DORA: Article 10 [Added]
- TA6967: DORA: Article 13 [Added]
- TA6969: DORA: Article 15 [Added]
- TA6970: DORA: Article 17 [Added]
- TA7058: Establish Clear Incident Response Roles and Reporting Lines (EU NIS2) [Added]
- TA7061: Integrate Incident Handling with Business Continuity and Disaster Recovery Plans (EU NIS2) [Added]
- TA7064: Implement Comprehensive Incident Response Plans (EU NIS2) [Added]
T2502: Define a cybersecurity policy for your organization
- TA6963: DORA: Article 5 [Added]
- TA7057: Implement and Maintain a Network and Information Systems Security Policy (EU NIS2) [Added]
T2514: Establish coding and testing guidelines
- TA7071: Establish Secure Development Rules for Network and Information Systems (EU NIS2) [Added]
- TA7073: Establish and implement a security testing policy (EU NIS2) [Added]
T2519: Prevent prompt injection in Large Language Models [Added]
- P1733: Lack of protection against prompt injection in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2520: Test the prevention of prompt injection in Large Language Models [Added]
- P1733: Lack of protection against prompt injection in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2521: Handle insecure output in Large Language Models [Added]
- P1733: Lack of protection against prompt injection in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2522: Test insecure output handling in Large Language Models [Added]
- P1733: Lack of protection against prompt injection in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2523: Prevent training data poisoning in Large Language Models [Added]
- P1735: Lack of protection against training data poisoning in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2524: Test the prevention of training data poisoning in Large Language Models [Added]
- P1735: Lack of protection against training data poisoning in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2525: Prevent Large Language Model Denial of Service [Added]
- P1736: Lack of protection against Large Language Model denial of service [Updated]
  - INFO: Updated the match conditions.
T2526: Test the prevention Large Language Model Denial of Service [Added]
- P1736: Lack of protection against Large Language Model denial of service [Updated]
  - INFO: Updated the match conditions.
T2527: Protect Large Language Models against supply chain vulnerabilities [Added]
- P1737: Presence of supply chain vulnerabilities in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2528: Test the protection of Large Language Models against supply chain vulnerabilities [Added]
- P1737: Presence of supply chain vulnerabilities in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2529: Prevent sensitive information disclosure in Large Language Models [Added]
- P1738: Sensitive information disclosure in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2530: Test the prevention of sensitive information disclosure in Large Language Models [Added]
- P1738: Sensitive information disclosure in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2531: Design secure plugins for Large Language Models [Added]
- P1739: Insecure plugin design in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2532: Test plugin design security for Large Language Models [Added]
- P1739: Insecure plugin design in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2533: Mitigate excessive agency in Large Language Models [Added]
- P1740: Excessive agency in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2534: Test excessive agency mitigation in Large Language Models [Added]
- P1740: Excessive agency in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2535: Mitigate overreliance in Large Language Models [Added]
- P1741: Overreliance on Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2536: Test overreliance in Large Language Models [Added]
- P1741: Overreliance on Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2537: Prevent model theft in Large Language Models [Added]
- P1742: Model theft in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2538: Test model theft prevention in Large Language Models [Added]
- P1742: Model theft in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T2561: Protect ML model against input manipulation attacks [Updated]
- INFO: Updated the match conditions.
- P1749: Lack of data integrity and robustness against poisoning in ML data [Updated]
  - INFO: Updated the match conditions.
T2562: Test ML model protection against input manipulation attacks [Updated]
- INFO: Updated the match conditions.
- P1749: Lack of data integrity and robustness against poisoning in ML data [Updated]
  - INFO: Updated the match conditions.
T2563: Protect ML model against data poisoning and skewing attacks [Updated]
- INFO: Updated the match conditions.
- P1749: Lack of data integrity and robustness against poisoning in ML data [Updated]
  - INFO: Updated the match conditions.
T2564: Test ML model protection against data poisoning and skewing attacks [Updated]
- INFO: Updated the match conditions.
- P1749: Lack of data integrity and robustness against poisoning in ML data [Updated]
  - INFO: Updated the match conditions.
T2565: Protect ML model against inversion attacks [Updated]
- INFO: Updated the match conditions.
- P1750: Lack of model confidentiality and privacy protection in ML [Updated]
  - INFO: Updated the match conditions.
T2567: Test ML model protection against inversion attacks [Updated]
- INFO: Updated the match conditions.
- P1750: Lack of model confidentiality and privacy protection in ML [Updated]
  - INFO: Updated the match conditions.
T2588: Prevent sensitive data exposure in ML models [Updated]
- INFO: Updated the match conditions.
- P1750: Lack of model confidentiality and privacy protection in ML [Updated]
  - INFO: Updated the match conditions.
T2589: Test ML model prevention of sensitive data exposure [Updated]
- INFO: Updated the match conditions.
- P1750: Lack of model confidentiality and privacy protection in ML [Updated]
  - INFO: Updated the match conditions.
T2590: Protect ML model against theft [Updated]
- INFO: Updated the match conditions.
- P1752: Lack of access control and model theft protection in ML [Updated]
  - INFO: Updated the match conditions.
T2591: Test ML model protection against theft [Updated]
- INFO: Updated the match conditions.
- P1752: Lack of access control and model theft protection in ML [Updated]
  - INFO: Updated the match conditions.
T2592: Protect ML model against supply chain attacks [Updated]
- INFO: Updated the match conditions.
- P1752: Lack of access control and model theft protection in ML [Updated]
  - INFO: Updated the match conditions.
T2593: Test ML model protection against supply chain attacks [Updated]
- INFO: Updated the match conditions.
- P1752: Lack of access control and model theft protection in ML [Updated]
  - INFO: Updated the match conditions.
T2594: Protect ML model against poisoning attacks [Updated]
- INFO: Updated the match conditions.
- P1753: Lack of model behavior integrity and manipulation protection in ML [Updated]
  - INFO: Updated the match conditions.
T2595: Test ML model protection against poisoning attacks [Updated]
- INFO: Updated the match conditions.
- P1753: Lack of model behavior integrity and manipulation protection in ML [Updated]
  - INFO: Updated the match conditions.
T4025: Provide Fundamental Rights Impact Assessment before deploying a high-risk AI system
- TA7051: Document and maintain data protection assessments for high-risk processing [Added]
T4118: Implement a logging strategy that satisfies both security and performance requirements
- TA7034: Provide businesses with a cure period for addressing violations [Added]
T4455: Prevent prompt injection in Large Language Models (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1733: Lack of protection against prompt injection in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4456: Prevent prompt injection in Large Language Models (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- P1733: Lack of protection against prompt injection in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4457: Prevent prompt injection in Large Language Models (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- P1733: Lack of protection against prompt injection in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4458: Prevent prompt injection in Large Language Models (Data Scientist) [Updated]
- INFO: Updated the match conditions.
- P1733: Lack of protection against prompt injection in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4459: Prevent prompt injection in Large Language Models (QA Analyst) [Updated]
- INFO: Updated the match conditions.
- P1733: Lack of protection against prompt injection in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4460: Handle insecure output in Large Language Models (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- P1733: Lack of protection against prompt injection in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4461: Handle insecure output in Large Language Models (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- P1733: Lack of protection against prompt injection in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4462: Prevent training data poisoning in Large Language Models (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1735: Lack of protection against training data poisoning in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4463: Prevent training data poisoning in Large Language Models (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- I1909: Building Data Auditing and Validation Pipelines [Added]
- P1735: Lack of protection against training data poisoning in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4464: Prevent training data poisoning in Large Language Models (Data Scientist) [Updated]
- INFO: Updated the match conditions.
- I1910: Building Advanced Data Preprocessing and Cleaning Frameworks [Added]
- P1735: Lack of protection against training data poisoning in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4465: Prevent training data poisoning in Large Language Models (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- I1911: Multi-stage model validation and evaluation framework [Added]
- P1735: Lack of protection against training data poisoning in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4466: Prevent Large Language Model denial of service (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1736: Lack of protection against Large Language Model denial of service [Updated]
  - INFO: Updated the match conditions.
T4467: Prevent Large Language Model denial of service (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- I1912: Dynamic resource monitoring and throttling framework [Added]
- P1736: Lack of protection against Large Language Model denial of service [Updated]
  - INFO: Updated the match conditions.
T4468: Prevent Large Language Models denial of service (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- I1913: Scalable input handling and load management [Added]
- P1736: Lack of protection against Large Language Model denial of service [Updated]
  - INFO: Updated the match conditions.
T4469: Prevent Large Language Model denial of service (QA Analyst) [Updated]
- INFO: Updated the match conditions.
- P1736: Lack of protection against Large Language Model denial of service [Updated]
  - INFO: Updated the match conditions.
T4470: Protect Large Language Models against supply chain vulnerabilities (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1737: Presence of supply chain vulnerabilities in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4471: Protect Large Language Models against supply chain vulnerabilities (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- P1737: Presence of supply chain vulnerabilities in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4472: Protect Large Language Models against supply chain vulnerabilities (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- P1737: Presence of supply chain vulnerabilities in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4473: Protect Large Language Models against supply chain vulnerabilities (Data Scientist) [Updated]
- INFO: Updated the match conditions.
- P1737: Presence of supply chain vulnerabilities in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4474: Prevent sensitive information disclosure in Large Language Models (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1738: Sensitive information disclosure in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4475: Prevent sensitive information disclosure in Large Language Models (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- P1738: Sensitive information disclosure in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4476: Prevent sensitive information disclosure in Large Language Models (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- I1904: Data sanitization and redaction [Added]
- P1738: Sensitive information disclosure in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4477: Prevent sensitive information disclosure in Large Language Models (Data Scientist) [Updated]
- INFO: Updated the match conditions.
- I1905: Data sanitization [Added]
- P1738: Sensitive information disclosure in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4478: Design secure plugins for Large Language Models (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1739: Insecure plugin design in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4479: Design secure plugins for Large Language Models (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- P1739: Insecure plugin design in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4480: Design secure plugins for Large Language Models (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- P1739: Insecure plugin design in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4481: Design secure plugins for Large Language Models (QA Analyst) [Updated]
- INFO: Updated the match conditions.
- P1739: Insecure plugin design in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4482: Mitigate excessive agency in Large Language Models (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1740: Excessive agency in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4483: Mitigate excessive agency in Large Language Models (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- P1740: Excessive agency in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4484: Mitigate excessive agency in Large Language Models (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- P1740: Excessive agency in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4485: Mitigate excessive agency in Large Language Models (QA Analyst) [Updated]
- INFO: Updated the match conditions.
- P1740: Excessive agency in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4486: Mitigate overreliance in Large Language Models (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1741: Overreliance on Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4487: Mitigate overreliance in Large Language Models (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- I1914: Reducing overreliance in LLMs [Added]
- P1741: Overreliance on Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4488: Mitigate overreliance in Large Language Models (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- I1915: Systems to mitigate overreliance in llms [Added]
- P1741: Overreliance on Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4489: Mitigate overreliance in Large Language Models (Data Scientist) [Updated]
- INFO: Updated the match conditions.
- P1741: Overreliance on Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4490: Mitigate overreliance in Large Language Models (QA Analyst) [Updated]
- INFO: Updated the match conditions.
- P1741: Overreliance on Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4491: Prevent model theft in Large Language Models (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1742: Model theft in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4492: Prevent model theft in Large Language Models (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- I1918: Securing vector databases to prevent model theft [Added]
- P1742: Model theft in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4493: Prevent model theft in Large Language Models (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- P1742: Model theft in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4494: Prevent model theft in Large Language Models (Data Scientist) [Updated]
- INFO: Updated the match conditions.
- P1742: Model theft in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4495: Prevent model theft in Large Language Models (QA Analyst) [Updated]
- INFO: Updated the match conditions.
- P1742: Model theft in Large Language Models [Updated]
  - INFO: Updated the match conditions.
T4496: Protect ML models against input manipulation attacks (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- I1906: Real-time monitoring and automated responses [Added]
- P1749: Lack of data integrity and robustness against poisoning in ML data [Updated]
  - INFO: Updated the match conditions.
T4497: Protect ML models against input manipulation attacks (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- I1907: Enhancing model security with adversarial defenses [Added]
- P1749: Lack of data integrity and robustness against poisoning in ML data [Updated]
  - INFO: Updated the match conditions.
T4498: Protect ML models against input manipulation attacks (QA Analyst) [Updated]
- INFO: Updated the match conditions.
- P1749: Lack of data integrity and robustness against poisoning in ML data [Updated]
  - INFO: Updated the match conditions.
T4499: Protect ML models against data poisoning and skewing attacks (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1749: Lack of data integrity and robustness against poisoning in ML data [Updated]
  - INFO: Updated the match conditions.
T4500: Protect ML models against data poisoning and skewing attacks (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- I1916: Securing ML models against data poisoning and skewing attacks [Added]
- P1749: Lack of data integrity and robustness against poisoning in ML data [Updated]
  - INFO: Updated the match conditions.
T4501: Protect ML models against data poisoning and skewing attacks (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- I1917: Protecting ML models against data poisoning [Added]
- P1749: Lack of data integrity and robustness against poisoning in ML data [Updated]
  - INFO: Updated the match conditions.
T4502: Protect ML models against data poisoning and skewing attacks (Data Scientist) [Updated]
- INFO: Updated the match conditions.
- P1749: Lack of data integrity and robustness against poisoning in ML data [Updated]
  - INFO: Updated the match conditions.
T4503: Protect ML models against inversion attacks (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1750: Lack of model confidentiality and privacy protection in ML [Updated]
  - INFO: Updated the match conditions.
T4504: Protect ML models against inversion attacks (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- P1750: Lack of model confidentiality and privacy protection in ML [Updated]
  - INFO: Updated the match conditions.
T4505: Protect ML models against inversion attacks (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- P1750: Lack of model confidentiality and privacy protection in ML [Updated]
  - INFO: Updated the match conditions.
T4506: Protect ML models against inversion attacks (QA Analyst) [Updated]
- INFO: Updated the match conditions.
- P1750: Lack of model confidentiality and privacy protection in ML [Updated]
  - INFO: Updated the match conditions.
T4507: Prevent sensitive data exposure in ML models (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1750: Lack of model confidentiality and privacy protection in ML [Updated]
  - INFO: Updated the match conditions.
T4508: Prevent sensitive data exposure in ML models (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- P1750: Lack of model confidentiality and privacy protection in ML [Updated]
  - INFO: Updated the match conditions.
T4509: Prevent sensitive data exposure in ML models (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- I1919: Securing sensitive data in ML models [Added]
- P1750: Lack of model confidentiality and privacy protection in ML [Updated]
  - INFO: Updated the match conditions.
T4510: Prevent sensitive data exposure in ML models (Data Scientist) [Updated]
- INFO: Updated the match conditions.
- P1750: Lack of model confidentiality and privacy protection in ML [Updated]
  - INFO: Updated the match conditions.
T4511: Prevent sensitive data exposure in ML models (QA Analyst) [Updated]
- INFO: Updated the match conditions.
- P1750: Lack of model confidentiality and privacy protection in ML [Updated]
  - INFO: Updated the match conditions.
T4512: Protect ML models against theft (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1752: Lack of access control and model theft protection in ML [Updated]
  - INFO: Updated the match conditions.
T4513: Protect ML models against theft (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- P1752: Lack of access control and model theft protection in ML [Updated]
  - INFO: Updated the match conditions.
T4514: Protect ML models against theft (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- P1752: Lack of access control and model theft protection in ML [Updated]
  - INFO: Updated the match conditions.
T4515: Protect ML models against theft (QA Analyst) [Updated]
- INFO: Updated the match conditions.
- P1752: Lack of access control and model theft protection in ML [Updated]
  - INFO: Updated the match conditions.
T4516: Protect ML models against supply chain attacks (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1752: Lack of access control and model theft protection in ML [Updated]
  - INFO: Updated the match conditions.
T4517: Protect ML models against supply chain attacks (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- P1752: Lack of access control and model theft protection in ML [Updated]
  - INFO: Updated the match conditions.
T4518: Protect ML models against supply chain attacks (QA Analyst) [Updated]
- INFO: Updated the match conditions.
- P1752: Lack of access control and model theft protection in ML [Updated]
  - INFO: Updated the match conditions.
T4519: Protect ML models against poisoning attacks (Project Manager) [Updated]
- INFO: Updated the match conditions.
- P1753: Lack of model behavior integrity and manipulation protection in ML [Updated]
  - INFO: Updated the match conditions.
T4520: Protect ML models against poisoning attacks (MLOps Engineer) [Updated]
- INFO: Updated the match conditions.
- I1908: Ensuring secure and isolated ML environments [Added]
- P1753: Lack of model behavior integrity and manipulation protection in ML [Updated]
  - INFO: Updated the match conditions.
T4521: Protect ML models against poisoning attacks (AI/ML Developer) [Updated]
- INFO: Updated the match conditions.
- P1753: Lack of model behavior integrity and manipulation protection in ML [Updated]
  - INFO: Updated the match conditions.
T4522: Implement Data Anonymization in AWS Athena Using SHA-256 Hashing [Added]
- P2413: Insufficient Data Anonymization in AWS Athena [Added]
T4523: Implement Data Classification and Isolation in AWS Athena [Added]
- P2414: Inadequate Data Classification and Isolation in AWS Athena [Added]
T4524: Implement Data Classification Using Table Properties in AWS Athena [Added]
- P2415: Insufficient Data Classification in AWS Athena [Added]
T4525: Implement Data Classification and Encryption in AWS Backup [Added]
- P2416: Insufficient Data Classification and Lack of Sensitive Data Encryption in AWS Backup [Added]
T4526: Implement Comprehensive Monitoring Using AWS Services [Added]
- P2417: Insufficient Monitoring of AWS Backup Activities (AWS Backup) [Added]
T4527: Enforce Encryption for AWS Backup Using IAM Policies [Added]
- P2418: Insufficient Default Encryption in AWS Backup [Added]
T4528: Implement Scheduled and Continuous Backups Using AWS Backup [Added]
- P2419: Insufficient Data Redundancy and Recovery Capabilities (AWS Backup) [Added]
T4529: Implement a Structured Data Migration Using AWS DataSync [Added]
- P2420: Insecure Data Migration (AWS DataSync) [Added]
T4530: Secure Data Handling in AWS DataSync Discovery [Added]
- P2421: Insecure Data Handling in AWS DataSync Discovery [Added]
T4531: Establish a Secure Landing Zone for AWS DataSync [Added]
- P2422: Inadequate Isolation and Monitoring in AWS DataSync [Added]
T4532: Implement AWS Direct Connect for Secure DataSync Transfers [Added]
- P2423: Data Exposure via Public Internet during AWS DataSync Transfers [Added]
T4533: Implement Segmented Network Architecture in AWS Direct Connect [Added]
- P2424: Inadequate Network Segmentation in AWS Direct Connect [Added]
T4534: Enhance Security for AWS Direct Connect Using AWS WAF and ELB [Added]
- P2425: Insufficient Security Controls in AWS Direct Connect (AWS Direct Connect) [Added]
T4535: Enhance AWS Direct Connect Resilience and Security Against DoS Attacks [Added]
- P2426: Vulnerability to Denial of Service (DoS) Attacks in AWS Direct Connect [Added]
T4536: Implement Encrypted Data Transit with MACsec for AWS Direct Connect [Added]
- P2427: Lack of Encrypted Data Transit in AWS Direct Connect [Added]
T4537: Implement Message Redaction and Masking in AWS EventBridge [Added]
- P2428: Sensitive Data Exposure in AWS EventBridge [Added]
T4538: Encrypt Ephemeral Storage Using AWS KMS [Added]
- P2429: Inadequate Encryption of Ephemeral Storage in AWS Fargate [Added]
T4539: Implement Resource Monitoring with Amazon CloudWatch Container Insights [Added]
- P2430: Resource Exhaustion in AWS Fargate Tasks [Added]
T4540: Implement GuardDuty Runtime Monitoring for AWS Fargate [Added]
- P2431: Insufficient Monitoring of Security Threats in AWS Fargate [Added]
T4541: Automate AWS Fargate Deployments Using Infrastructure as Code [Added]
- P2432: Inconsistent Configuration and Human Error in Manual AWS Fargate Deployments [Added]
T4542: Implement Robust Data Classification and Access Control in AWS FSx for Lustre [Added]
- P2433: Inadequate Data Classification and Access Control in AWS FSx for Lustre [Added]
T4543: Implement Comprehensive Monitoring and Logging for AWS FSx for Lustre [Added]
- P2434: Insufficient Monitoring and Logging in AWS FSx for Lustre [Added]
T4544: Enforce Encryption for AWS FSx for Lustre Using AWS KMS [Added]
- P2435: Insufficient Encryption of Data at Rest in AWS FSx for Lustre [Added]
T4545: Implement Scheduled and Monitored Backups for AWS FSx for Lustre [Added]
- P2436: Insufficient Backup and Monitoring Vulnerability (AWS FSx for Lustre) [Added]
T4546: Implement Data Classification and Access Control for AWS FSx for Windows File Server [Added]
- P2437: Insufficient Data Classification and Access Control in AWS FSx for Windows File Server [Added]
T4547: Implement Anomalous Activity Detection Using AWS Services [Added]
- P2438: Anomalous Activity Detection Weakness in AWS FSx for Windows File Server [Added]
T4548: Enforce Encryption-at-Rest for AWS FSx for Windows File Server [Added]
- P2439: Insufficient Encryption of Sensitive Data in AWS FSx for Windows File Server [Added]
T4549: Implement Scheduled and Monitored Backups for AWS FSx for Windows File Server [Added]
- P2440: Insufficient Backup Frequency and Monitoring (AWS FSx for Windows File Server) [Added]
T4550: Configure GuardDuty to Use a Dedicated KMS Key for Secure Export of Findings [Added]
- P2441: Inadequate Encryption Key Management in AWS GuardDuty (AWS GuardDuty) [Added]
T4551: Automate Incident Response for GuardDuty Findings [Added]
- P2442: Delayed Incident Response Due to Manual Intervention (AWS GuardDuty) [Added]
T4552: Enable Integration of AWS GuardDuty with AWS Security Hub [Added]
- P2443: Isolated Security Findings in AWS GuardDuty (AWS Cloud Services) [Added]
T4553: Implement ABAC for AWS GuardDuty [Added]
- P2444: Insufficient Granularity in Access Control (AWS GuardDuty) [Added]
T4554: Implement Robust Key Management Policies for AWS Inspector [Added]
- P2445: Inadequate Key Management Policies in AWS Inspector [Added]
T4555: Implement Automated Incident Response with Amazon Inspector and AWS Security Hub [Added]
- P2446: Inadequate Automated Response to Security Events (Amazon Inspector and AWS Security Hub) [Added]
T4556: Integrate Amazon Inspector with AWS Security Hub for Enhanced Security Monitoring [Added]
- P2447: Inadequate Security Monitoring and Analysis (AWS Environment) [Added]
T4557: Implement ABAC for AWS Inspector using Tag-Based Policies [Added]
- P2448: Inadequate Access Control in AWS Inspector Using Traditional RBAC [Added]
T4558: Enable IAM Database Authentication for Amazon Neptune [Added]
- P2449: Credential Exposure Risk in Amazon Neptune Due to Default Authentication Method [Added]
T4559: Implement Dedicated IAM User Accounts with Minimum Privileges for Amazon Neptune [Added]
- P2450: Inadequate Access Control in Amazon Neptune [Added]
T4560: Enable Encryption for AWS Neptune Instances [Added]
- P2451: Lack of Data Encryption at Rest in AWS Neptune Instances [Added]
T4561: Implement Regular and Secure Backups for AWS Neptune [Added]
- P2452: Insufficient Backup Retention and Vulnerability to Data Loss in AWS Neptune [Added]
T4562: Enhance Security and Compliance by Monitoring and Auditing AWS Neptune Activity [Added]
- P2453: Insufficient Monitoring and Auditing of AWS Neptune Activity [Added]
T4563: Implement Rigorous Data Validation and Monitoring for AWS Rekognition [Added]
- P2454: Data Poisoning Vulnerability in AWS Rekognition [Added]
T4564: Implement Data Sanitization for AWS Rekognition Training Sets [Added]
- P2455: Inadequate Data Sanitization in AWS Rekognition Training Sets [Added]
T4565: Isolate AWS Rekognition Workloads [Added]
- P2456: Insufficient Isolation of AWS Rekognition Workloads [Added]
T4566: Implement Least Privilege Access Control for AWS Rekognition [Added]
- P2457: Insufficient Access Control in AWS Rekognition [Added]
T4567: Implement Least-Privilege Access Controls [Added]
- P2458: Insufficient Access Control in Amazon Rekognition [Added]
T4568: Implement Centralized Artifact Management for AWS X-Ray Dependencies [Added]
- P2459: Insecure Dependency Management in AWS X-Ray [Added]
T4569: Implement Automated Deployment for AWS X-Ray Using CI/CD Pipelines [Added]
- P2460: Inconsistent Deployment and Configuration Management in AWS X-Ray Integration [Added]
T4570: Integrate Security Testing for AWS X-Ray with CI/CD Pipeline [Added]
- P2461: Insufficient Security Testing in CI/CD Pipeline (AWS X-Ray) [Added]
T4571: Implement Least Privilege Access for AWS X-Ray [Added]
- P2462: Insufficient Privilege Restriction in AWS X-Ray [Added]
T4572: Enhance Security Monitoring and Configuration Management for AWS X-Ray [Added]
- P2463: Insufficient Security Monitoring and Configuration Management in AWS X-Ray [Added]
T4593: Monitor the behaviour on endpoint [Added]
- P2484: Lack of endpoint behavior monitoring [Added]
T4594: Block users or groups from installing or using unapproved hardware [Added]
- P2485: Unauthorized hardware installation and usage [Added]
T4595: Protect processes with high privileges [Added]
- P2486: Lack of protection for high-privilege processes [Added]
T4596: Restrict the ability to modify certain hives or keys in the Windows Registry [Added]
- P2487: Unauthorized Windows Registry modification [Added]
T4597: Break and inspect SSL/TLS sessions [Added]
- P2488: Inadequate monitoring of encrypted traffic [Added]
T4598: Configure Windows User Account Control [Added]
- P2489: lack of secure User Account Control (UAC) configuration [Added]
T4599: Mitigate hazards and protect against property damage, safety risks, and environmental harm [Added]
- P2490: Lack of hazards mitigations [Added]
T4600: Establish Out-of-Band Communications Channel [Added]
- P2491: Inadequate Communication Alternatives [Added]
T4601: Perioritize static network configuration [Added]
- P2492: Risk of dynamic network protocols [Added]
T4602: Utilize watchdog timers to ensure devices can quickly detect whether a system is unresponsive [Added]
- P2493: Lack of Watchdog Timer Implementation [Added]
T4643: Validate container image signatures [Added]
- P2494: Use of Unverified Container Images (Singularity) [Added]
T4644: Use a minimal base image for container security [Added]
- P2495: Excessive Package Inclusion in Container Images (Singularity) [Added]
T4645: Run containers with minimal privileges [Added]
- P2496: Excessive Privileges in Containerized Applications (Singularity) [Added]
T4646: Limit network access in Singularity container environments [Added]
- P2497: Unrestricted Network Access (Singularity) [Added]
T4647: Set resource constraints on containers [Added]
- P2498: Resource Exhaustion Vulnerability (Singularity) [Added]
T4648: Implement continuous scanning and monitoring of container environments [Added]
- P2499: Lack of Continuous Scanning and Monitoring (Singularity) [Added]
T4649: Implement strong isolation between containers [Added]
- P2500: Lack of Strong Isolation Between Containers (Singularity) [Added]
T4650: Automate lifecycle management for container images [Added]
- P2501: Outdated Container Image Usage (Singularity) [Added]
T4651: Use network policies to restrict access to Snowflake [Added]
- P2502: Lack of Network Access Control (Snowflake) [Added]
T4652: Implement object-level access control in Snowflake [Added]
- P2503: Lack of Object-Level Access Control (Snowflake) [Added]
T4653: Use SCIM for user and role provisioning in Snowflake [Added]
- P2504: Manual User and Role Provisioning Errors (Snowflake) [Added]
T4654: Implement OAuth as the preferred authentication method in Snowflake [Added]
- P2505: Insecure Authentication Methods (Snowflake and Client Applications) [Added]
T4655: Enable Multi-Factor Authentication (MFA) for Snowflake account [Added]
- P2506: Lack of Multi-Factor Authentication (Snowflake Account) [Added]
T4656: Close connection when no longer required in Snowflake [Added]
- P2507: Resource Leak Due to Unclosed Connections (General Software) [Added]
T4657: Establish a proper role hierarchy model in Snowflake [Added]
- P2508: Improper Role Hierarchy Model (Snowflake) [Added]
T4658: Implement dynamic data masking in Snowflake [Added]
- P2509: Lack of Dynamic Data Masking (Snowflake) [Added]
T4659: Create secure views in Snowflake [Added]
- P2510: Inadequate Data Access Control in Database Views (Generic Database Systems) [Added]
T4660: Enable tri-secret secure for enhanced data encryption in Snowflake [Added]
- P2511: Lack of Customer-Managed Key Integration (Snowflake) [Added]
T4661: Use credential-less stages to prevent data exfiltration in Snowflake [Added]
- P2512: Unrestricted Data Access via External Stages (Snowflake) [Added]
T4662: Monitor Snowflake usage for audit and compliance [Added]
- P2513: Lack of Comprehensive Monitoring and Audit Capabilities (Snowflake) [Added]
T4663: Determine access to objects in Snowflake [Added]
- P2514: Inadequate Access Control Management (Snowflake) [Added]
T4680: Implement the Proportionality Principle in Risk Management [Added]
- P2515: Inadequate Risk Management Framework [Added]
T4681: Implement a Comprehensive Risk Management Framework [Added]
- P2516: Lack of Comprehensive Risk Management Framework [Added]
T4682: Use and maintain updated systems, protocols, and tools [Added]
- P2517: Outdated Systems and Protocols [Added]
T4683: Implement a Comprehensive Business Continuity Policy [Added]
- P2518: Lack of Comprehensive Business Continuity Policy [Added]
T4692: Secure management of public surveillance data [Added]
- TA6982: Usage restrictions and consent for public surveillance [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T4693: Enforce compliance with sector-specific regulations [Added]
- TA6983: Regulatory compliance for sensitive data processing [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T4694: Establish personal information compliance systems [Added]
- TA6986: Enhance governance and transparency for major platforms [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T4695: Handle personal data of deceased individuals [Added]
- TA6998: Guidelines for posthumous data management [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T4696: Implement an Effective Compliance Reporting System (EU NIS2) [Added]
T4697: Implement Independent Reviews of Compliance with Network and Information System Security Policies (EU NIS2) [Added]
T4698: Assess and Classify Suspicious Events (EU NIS2) [Added]
T4699: Conduct Post-Incident Reviews (EU NIS2) [Added]
T4700: Develop and Maintain a Business Continuity and Disaster Recovery Plan (EU NIS2) [Added]
T4701: Implement Redundancy in Network and Information Systems (EU NIS2) [Added]
T4702: Develop and Implement a Crisis Management Process (EU NIS2) [Added]
T4703: Establish and Maintain Secure Configuration Management (EU NIS2) [Added]
T4704: Implement Network Security Measures (EU NIS2) [Added]
- P2519: Network Security Weaknesses (EU NIS2) [Added]
T4705: Segment networks and update regularly (EU NIS2) [Added]
T4706: Implement Malicious and Unauthorized Software Detection and Protection Mechanisms (EU NIS2) [Added]
- P2520: Lack of Malicious and Unauthorized Software Detection and Protection Mechanisms (EU NIS2) [Added]
T4707: Maintain Effective Cybersecurity Risk-Management Measures (EU NIS2) [Added]
T4708: Establish and Implement Cryptography Policy and Procedures (EU NIS2) [Added]
- P2521: Inadequate Cryptography Policy and Procedures (EU NIS2) [Added]
T4709: Implement Cyber Hygiene Practices (EU NIS2) [Added]
- P2522: Lack of Cyber Hygiene Practices (EU NIS2) [Added]
T4710: Implement Background Verification for Sensitive Roles (EU NIS2) [Added]
- P2523: Lack of Background Verification for Sensitive Roles (EU NIS2) [Added]
T4711: Implement Post-Employment Security Responsibilities (EU NIS2) [Added]
- P2524: Lack of Post-Employment Security Responsibilities (EU NIS2) [Added]
T4712: Establish and Maintain a Disciplinary Process for Security Policy Violations (EU NIS2) [Added]
- P2525: Lack of Disciplinary Process for Security Policy Violations (EU NIS2) [Added]
T4713: Implement and Communicate Asset Handling Policy (EU NIS2) [Added]
T4714: Implement a Removable Media Management Policy (EU NIS2) [Added]
- P2526: Inadequate Removable Media Management (EU NIS2) [Added]
T4715: Implement Redundancy and Monitoring for Supporting Utilities (EU NIS2) [Added]
- P2527: Lack of Redundancy and Monitoring for Supporting Utilities (EU NIS2) [Added]
T4716: Implement Protection Measures Against Physical and Environmental Threats (EU NIS2) [Added]
- P2529: Lack of Physical and Environmental Protection Measures (EU NIS2) [Added]
T4717: Implement Physical Access Controls for Network and Information Systems (EU NIS2) [Added]
- P2528: Inadequate Physical Access Controls (EU NIS2) [Added]
T4718: Secure management of public surveillance data [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T4719: Enforce compliance with sector-specific regulations [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T4720: Establish personal information compliance systems [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
T4721: Handle personal data of deceased individuals [Added]
- P257: Privacy Violation [Updated]
  - INFO: Updated the match conditions.
P712: Always Applicable / Applicable When Linked Countermeasures Are Included [Updated]
- INFO: Updated the title and text.
Changes to Project Properties and Profiles
- Q199: Authentication
  - Q125: Authentication Backend
    - Q153: SSO Suite [Removed]
- Q202: More Features
  - Q214: Miscellaneous
    - A1186: Installs other applications on the user's device or gets updated in the background [Updated]
      - INFO: Updated the description.
- Q204: Financial Systems
  - Q229: Financial Regulations
    - Q449: In-Scope for EU Digital Operational Resilience Act (DORA) [Added]
      - A1972: Yes [Added]
- Q205: Geography
  - Q159: Organization is Subject to Laws of:
    - A1334: France [Updated]
      - INFO: Updated the children.
- Q206: Privacy
  - Q160: Handles Personal Data
    - Q454: US State-Specific Privacy Legislation [Added]
      - A1996: Virginia CDPA [Added]
      - A1997: Colorado PA [Added]
      - A1998: Connecticut PDPOM [Added]
      - A1999: Utah CPA [Added]
      - A2000: Oregon PL [Added]
      - A2001: Texas DPSA [Added]
      - A2002: Montana CDPA [Added]
    - Q224: Privacy Regulations
      - A1995: China PIPL [Added]
- Q211: Development Tools
  - Q364: Version control platforms [Updated]
    - INFO: Updated the parent.
- Q237: Compliance Scope: Other
  - Q456: In scope for EU NIS2 [Added]
    - A2006: Yes [Added]
- Q243: Internal Hidden Properties
  - Q189: Internal Properties (Use this, for all hidden answers)
    - A2008: LLM Role-based [Added]
    - A2009: LLM Role-agnostic [Added]
    - A2010: MD Role-based [Added]
    - A2011: MD Role-agnostic [Added]
- Q262: External Dependencies
  - Q263: Software Updates
    - Q373: Customer Relationship Management (CRM) [Updated]
      - INFO: Updated the text.
- Q284: Context and Characteristics
  - Q252: Application's Context and Characteristics
    - Q455: US State-Specific AI Regulation [Added]
      - A2004: Utah AIPA [Added]
      - A2005: Colorado CPAI [Added]
    - Q457: AI Content Organization [Added]
      - A1629: Role-based AI content [Added]
      - A2007: Role-agnostic AI content [Added]
    - Q357: Artificial Intelligence/Machine Learning [Updated]
      - INFO: Updated the description.
      - A1362: Uses Large Language Models (LLMs) [Updated]
        
        INFO: Updated the children.
      - A1367: Builds and deploys machine learning (ML) models [Updated]
        
        INFO: Updated the children.
      - A2003: US-State AI regulation [Added]
    - Q368: Type of AI system [Updated]
      - INFO: Updated the created date time.
      - A1506: High Risk [Updated]
        
        INFO: Updated the description.
      - A1507: Limited/low risk [Updated]
        
        INFO: Updated the text and description.
      - A1509: General Purpose AI Models with Systemic Risk [Updated]
        
        INFO: Updated the description.
    - A1283: This is an automotive application [Updated]
      - INFO: Updated the description.
- Q304: Database Technologies
  - Q440: Data Platforms [Added]
    - A1927: Snowflake [Added]
- Q307: Containerization
  - Q308: Containerization Technologies
    - A1926: Singularity [Added]
- Q313: General Activities [Removed]
- Q361: Amazon Web Services (AWS)
  - Q298: AWS Services
    - A1627: AWS FSx for Lustre [Added]
    - A1628: AWS FSx for Windows File Server [Added]
- Q369: Network Technologies
  - Q372: Network Components [Updated]
    - INFO: Updated the created date time and description.
    - A1566: Directory Server [Updated]
      - INFO: Updated the description.
    - A1567: DNS Server [Updated]
      - INFO: Updated the description.
    - A1568: Firewall [Updated]
      - INFO: Updated the description.
    - A1569: FTP Server [Updated]
      - INFO: Updated the description.
    - A1570: IDS/IPS [Updated]
      - INFO: Updated the description.
    - A1571: Load Balancer [Updated]
      - INFO: Updated the description.
    - A1572: Message Broker [Updated]
      - INFO: Updated the description.
    - A1575: Proxy Server [Updated]
      - INFO: Updated the description.
    - A1576: Router [Updated]
      - INFO: Updated the description.
    - A1577: Service Bus [Updated]
      - INFO: Updated the description.
    - A1578: Virtual Private Network (VPN) Server [Updated]
      - INFO: Updated the description.
    - A1585: Content Delivery Network (CDN) [Updated]
      - INFO: Updated the description.
Added Components
- SC763: Singularity
- SC764: Snowflake
- SC765: Browser
- SC766: SSH Client
- SC767: Generic Client
- SC768: Rich Client
- SC769: Web Client
Updated Components
- SC38: User
  - INFO: Updated the implied attributes.
- SC101: Project Characteristics
  - INFO: Updated the description.
- SC115: AWS Athena
  - INFO: Updated the description.
- SC137: AWS EventBridge
  - INFO: Updated the description.
- SC165: AWS Fargate
  - INFO: Updated the description.
- SC182: AWS Neptune
  - INFO: Updated the description.
- SC199: AWS X-Ray
  - INFO: Updated the description.
- SC248: AWS Rekognition
  - INFO: Updated the description.
- SC283: AWS DataSync
  - INFO: Updated the description.
- SC290: AWS Direct Connect
  - INFO: Updated the description.
- SC309: AWS GuardDuty
  - INFO: Updated the description.
- SC311: AWS Inspector
  - INFO: Updated the description.
- SC322: AWS Backup
  - INFO: Updated the description.
- SC326: AWS FSx for Lustre
  - INFO: Updated the description, answer mapping, and, implied attributes.
- SC329: AWS FSx for Windows File Server
  - INFO: Updated the description, answer mapping, and, implied attributes.
- SC761: Blank Component
  - INFO: Updated the description.
- SC762: Attacker
  - INFO: Updated the hidden and implied attributes.

Content additions and updates as of February 13, 2025:

T2656: Create dedicated database user accounts with minimum privileges (CockroachDB) [Updated]
- INFO: Updated the title
T4692: Secure management of public surveillance data [Deactivated]
T4693: Enforce compliance with sector-specific regulations [Deactivated]
T4694: Establish personal information compliance systems [Deactivated]
T4695: Handle personal data of deceased individuals [Deactivated]
T4718: Secure management of public surveillance data [Updated]
- INFO: Updated the match conditions.
T4719: Enforce compliance with sector-specific regulations [Updated]
- INFO: Updated the match conditions.
T4720: Establish personal information compliance systems [Updated]
- INFO: Updated the match conditions.
T4721: Handle personal data of deceased individuals [Updated]
- INFO: Updated the match conditions.

Content additions and updates as of February 13, 2025:

T2656: Create dedicated database user accounts with minimum privileges (CockroachDB) [Updated]
- INFO: Updated the title.
T4681: Implement a Comprehensive Risk Management Framework [Updated]
- INFO: Updated the phase.
T4692: Secure management of public surveillance data [Deactivated]
T4693: Enforce compliance with sector-specific regulations [Deactivated]
T4694: Establish personal information compliance systems [Deactivated]
T4695: Handle personal data of deceased individuals [Deactivated]
T4718: Secure management of public surveillance data [Updated]
- INFO: Updated the match conditions.
T4719: Enforce compliance with sector-specific regulations [Updated]
- INFO: Updated the match conditions.
T4720: Establish personal information compliance systems [Updated]
- INFO: Updated the match conditions.
T4721: Handle personal data of deceased individuals [Updated]
- INFO: Updated the match conditions.

2024.3

October 12, 2024

New features and enhancements

Library Weakness
- Added the ability to update CWE mappings on Library Weaknesses including the ability to revert those changes back to latest builtin content mapping.
Library Countermeasures
- Added the API capability to POST, PATCH and DELETE Countermeasures, Additional Requirements and How-Tos.
- Improved GET API functionality for Library Countermeasures including new ways to filter content by.
CompositeAPI
- Added the ability to send multiple API requests in a single HTTP request and roll back all changes if any request fails. This reduces the need for multiple API calls and improves performance.

Updates

November 9, 2024

Scan a Repository
- Added the ability to connect to GitLab to scan a repository
- Users now have the option to connect to either GitLab or GitHub
- Added additional mapping coverage for Containerization, .NET, and C/C++ Technologies

Content improvements summary

EU Cyber Resilience Act
- Added a new Compliance Regulation and 16 new countermeasures, 16 new weaknesses,and 3 amendments.
UK PSTI
- Added a new Compliance Regulation and 3 new amendments.
ANSI/ISA 62443-4-1 (ISASecure SDLA 312)
- Updated the mappings and added new countermeasures to the regulation to account for gaps that were detected.

Content additions and updates (as of September 27, 2024)

Compliance Regulations and Mappings
- Added UK PSTI
- Added EU Cyber Resilience Act
- Updated OWASP Top 10 for Large Language Model Applications v1.0.0 [INFO: Updated the regulation sections].
- Updated ANSI/ISA 62443-4-1 (ISASecure SDLA 312) [INFO: Updated the regulation sections].
Content Packs
- Added UK PSTI
- Added API Gateway
- Added Podman
- Added CRM
- Added Salesforce
- Added CircleCI
- Added EU Cyber Resilience Act
- Added Bash/Shell
T13: Change Automatically Generated Passwords
- TA6891: PSTI Requirement 1 [Added]
T21: Ensure all data in transit is encrypted using a secure TLS channel
- P216: Clear Text and Unencrypted Transmission of Information [Updated]
  - INFO: Updated the match conditions.
T170: Secure IPC endpoints used in clients [Updated]
- INFO: Updated the match conditions.
T312: Verify that inter-process communication (IPC) endpoints are secured in client [Updated]
- INFO: Updated the match conditions.
T370: Follow best practices for using third-party software libraries/modules and open source/COTS components
- TA6895: Facilitate due diligence if using free and open-source software (FOSS) components in your products [Added]
T379: Provide sufficient documentation for security-related features
- TA6889: PSTI Requirement 2 [Added]
- TA6890: PSTI Requirement 3 [Added]
T1376: Provide and maintain guidance on secure installation, maintenance, and configuration of all software components
- TA6814: SDLA 312 Requirement (SG-7) [Deactivated]
T1388: Triage and fix vulnerabilities discovered during automated and manual security tests
- TA6893: Effective vulnerability management throughout the product's support period [Added]
- TA6803: SDLA 312 Requirement (DM-6) [Deactivated]
- TA6820: SDLA 312 Requirement (SM-12) [Deactivated]
- TA6821: SDLA 312 Requirement (SM-13) [Deactivated]
T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software
- TA6892: Reporting and addressing vulnerabilities in third-party components [Added]
T2510: Define cybersecurity goals and requirements for a component
- TA6807: SDLA 312 Requirement (SD-4) [Deactivated]
- TA6833: SDLA 312 Requirement (SR-5) [Deactivated]
T2513: Verify whether cybersecurity goals and requirements are clearly defined for a component
- TA6851: SDLA 312 Test Requirement (SD-2) [Deactivated]
- TA6852: SDLA 312 Test Requirement (SD-3) [Deactivated]
- TA6853: SDLA 312 Test Requirement (SD-4) [Deactivated]
- TA6878: SDLA 312 Test Requirement (SR-5) [Deactivated]
T2519: Prevent prompt injection in Large Language Models [Deactivated]
T2520: Test the prevention of prompt injection in Large Language Models [Deactivated]
T2521: Handle insecure output in Large Language Models [Deactivated]
T2522: Test insecure output handling in Large Language Models [Deactivated]
T2523: Prevent training data poisoning in Large Language Models [Deactivated]
T2524: Test the prevention of training data poisoning in Large Language Models [Deactivated]
T2525: Prevent Large Language Model Denial of Service [Deactivated]
T2526: Test the prevention Large Language Model Denial of Service [Deactivated]
T2527: Protect Large Language Models against supply chain vulnerabilities [Deactivated]
T2528: Test the protection of Large Language Models against supply chain vulnerabilities [Deactivated]
T2529: Prevent sensitive information disclosure in Large Language Models [Deactivated]
T2530: Test the prevention of sensitive information disclosure in Large Language Models [Deactivated]
T2531: Design secure plugins for Large Language Models [Deactivated]
T2532: Test plugin design security for Large Language Models [Deactivated]
T2533: Mitigate excessive agency in Large Language Models [Deactivated]
T2534: Test excessive agency mitigation in Large Language Models [Deactivated]
T2535: Mitigate overreliance in Large Language Models [Deactivated]
T2536: Test overreliance in Large Language Models [Deactivated]
T2537: Prevent model theft in Large Language Models [Deactivated]
T2538: Test model theft prevention in Large Language Models [Deactivated]
T2675: Verify that vulnerabilities discovered during automated and manual security tests are triaged and fixed
- TA6849: SDLA 312 Test Requirement (DM-6) [Deactivated]
- TA6865: SDLA 312 Test Requirement (SM-12) [Deactivated]
- TA6866: SDLA 312 Test Requirement (SM-13) [Deactivated]
T2678: Verify that guidance is provided and maintained for secure installation, maintenance and configuration of all software components
- TA6859: SDLA 312 Test Requirement (SG-7) [Deactivated]
T4207: Anonymize sensitive data in the analytics environment with the DLP API (GCP) [Added]
- P2211: Insufficient privacy of data in analytics workloads (GCP) [Added]
T4208: Ensure all types of data are reviewed and classified (GCP) [Added]
- P2212: Insufficient data classification and data controls (GCP) [Added]
T4209: Record data classification attributes in the Data Catalog (GCP) [Added]
- P2213: Failure to maintain data classification and data controls in different workloads (GCP) [Added]
T4210: Protect data in integration workflows (GCP) [Added]
- P2214: Sensitive data exposure (GCP) [Added]
T4211: Connect securely to services in integration workflows (GCP) [Added]
- P2215: Insecure access to resources during integration workflows (GCP) [Added]
T4212: Implement strict key processes for storing, handling, and using blockchain keys (GCP) [Added]
- P2216: Insecure key management (GCP) [Added]
T4213: Use established patterns to hide private data and link it to blockchain transactions (GCP) [Added]
- P2217: Disclosure of private business data (GCP) [Added]
T4214: Have a plan for modifying smart contracts or mitigating newly discovered vulnerabilities (GCP) [Added]
- P2218: Smart contract vulnerabilities (GCP) [Added]
T4215: Harden Google Workspace user settings (GCP) [Added]
- P2219: Insufficient protection of user accounts (GCP) [Added]
T4216: Implement policies for secure handling of business data (GCP) [Added]
- P2220: Insecure handling of business data in Google business applications (GCP) [Added]
T4217: Isolate application workloads according to security requirements (GCP) [Added]
- P2221: Insufficient isolation of application workloads (GCP) [Added]
T4218: Ensure compute services have sufficient resources and are fault tolerant (GCP) [Added]
- P2222: Denial of service attacks against application workloads (GCP) [Added]
T4219: Monitor application workloads and patch vulnerabilities (GCP) [Added]
- P2223: Undetected vulnerabilities in application workloads (GCP) [Added]
T4220: Deploy and manage application environments through automation (GCP) [Added]
- P2224: Manual application management processes (GCP) [Added]
T4221: Use trusted container images (GCP) [Added]
- P2225: Vulnerable container images (GCP) [Added]
T4222: Protect images against supply chain attacks (GCP) [Added]
- P2226: Supply chain attacks that target container images (GCP) [Added]
T4223: Run containers with a least privilege identity (GCP) [Added]
- P2227: Containers with excessive privileges (GCP) [Added]
T4224: Use IAM authentication for databases if supported (GCP) [Added]
- P2228: Weaknesses in credential management (GCP) [Added]
T4225: Create dedicated database user accounts with minimum privileges (GCP) [Added]
- P2229: Excessive permissions for database user accounts (GCP) [Added]
T4226: Use automatic authentication with a Cloud SQL connector (GCP) [Added]
- P2230: Insecure connection practices (GCP) [Added]
T4227: Schedule regular database backups to protect availability (GCP) [Added]
- P2231: Failure to safeguard against data loss (GCP) [Added]
T4228: Monitor database activity and collect database instance logs (GCP) [Added]
- P2232: Failure to monitor database activity (GCP) [Added]
T4229: Use a centralized artifact store to manage dependencies (GCP) [Added]
- P2233: Vulnerable or malicious application dependencies (GCP) [Added]
T4230: Deploy software using automated processes (GCP) [Added]
- P2234: Poor dependency management with manual deployment (GCP) [Added]
T4231: Protect the software supply chain with Software Delivery Shield (GCP) [Added]
- P2235: Insufficient controls to detect vulnerable code (GCP) [Added]
T4232: Give developers least privilege access to the development environment (GCP) [Added]
- P2236: Excessive permissions in the development environment (GCP) [Added]
T4233: Log activity in the development environment (GCP) [Added]
- P2237: Insufficient monitoring of development activity and CI/CD processes (GCP) [Added]
T4234: Vet data and monitor models according to best practices (GCP) [Added]
- P2238: Data poisoning attacks (GCP) [Added]
T4235: Vet training data sets for sensitive data and sanitize them (GCP) [Added]
- P2239: Exposure of sensitive or confidential data (GCP) [Added]
T4236: Isolate ML workloads (GCP) [Added]
- P2240: Unecessary exposure of ML environments (GCP) [Added]
T4237: Limit access to ML artifacts (GCP) [Added]
- P2241: Insufficient protection for ML artifacts (GCP) [Added]
T4238: Review the Google Responsible AI policy and ensure your application is in compliance (GCP) [Added]
- P2242: Failure to meet the Google Responsible AI policy (GCP) [Added]
T4239: Use automated processes to keep people away from data (GCP) [Added]
- P2243: Manual management processes with insufficient security controls (GCP) [Added]
T4240: Use the Organization Policy Service to enforce a consistent security baseline (GCP) [Added]
- P2244: Lack of controls to enforce security policy in complex environments (GCP) [Added]
T4241: Follow best practices for logging and monitoring (GCP) [Added]
- P2245: Insecure or insufficient system logging (GCP) [Added]
T4242: Protect API keys with use restrictions and signatures (GCP) [Added]
- P2246: Inadequate protection of API keys for Maps Platform APIs (GCP) [Added]
T4243: Follow privacy rules for location data with Maps API (GCP) [Added]
- P2247: Failure to ensure privacy of location data (GCP) [Added]
T4244: Serve private media content with Media CDN (GCP) [Added]
- P2248: Insufficient protection for high-value media content (GCP) [Added]
T4245: Look for logging anomalies and consider watermarking content (GCP) [Added]
- P2249: Failure to detect unauthorized media access (GCP) [Added]
T4246: Defend media workloads against denial of service attacks (GCP) [Added]
- P2250: Denial of service attacks against streaming services (GCP) [Added]
T4247: Follow the assess, mobilize, migrate pattern (GCP) [Added]
- P2251: Lack of migration planning (GCP) [Added]
T4248: Understand how discovery tools use data and ensure it is handled securely. (GCP) [Added]
- P2252: Excessive permissions for discovery tools (GCP) [Added]
T4249: Begin migrations by establishing a landing zone (GCP) [Added]
- P2253: Incomplete or insecure deployment (GCP) [Added]
T4250: Protect migration data with validation and a secure connection method (GCP) [Added]
- P2254: Failure to safeguard data during migration (GCP) [Added]
T4251: Segment your network and implement security controls between zones (GCP) [Added]
- P2255: Insufficient network isolation in a GCP environment (GCP) [Added]
T4252: Put public endpoints behind a load balancer (GCP) [Added]
- P2256: Failure to protect public endpoints (GCP) [Added]
T4253: Harden VPCs against denial of service attacks (GCP) [Added]
- P2257: Denial of service attacks against networks and public endpoints (GCP) [Added]
T4254: Implement best practices for hybrid networks (GCP) [Added]
- P2258: Weak security controls for hybrid networks (GCP) [Added]
T4255: Follow best practices for key management and monitoring (GCP) [Added]
- P2259: Insecure key management for Google Cloud Security and Identity (GCP) [Added]
T4256: Ensure security events trigger notifications and responses (GCP) [Added]
- P2260: Insufficient monitoring of security events (GCP) [Added]
T4257: Conduct regular security audits (GCP) [Added]
- P2261: Failing to follow business security policy (GCP) [Added]
T4258: Use IAM conditions for fine-grained security in complex environments (GCP) [Added]
- P2262: Inflexible IAM policies for large and dynamic systems (GCP) [Added]
T4259: Implement access controls based on the sensitivity and criticality of data (GCP) [Added]
- P2263: Insufficient data access controls (GCP) [Added]
T4260: Use detective controls and data auditing to detect anomalous activity (GCP) [Added]
- P2264: Failure to monitor storage access (GCP) [Added]
T4261: Schedule regular backups (GCP) [Added]
- P2265: Failure to safeguard against data loss in cloud storage (GCP) [Added]
T4262: Establish a service perimeter around workloads with sensitive data (GCP) [Added]
- P2266: Data exfiltration from sensitive workloads (GCP) [Added]
T4263: Implement traffic controls such as rate limiting [Added]
- P2267: Denial of service attacks against API endpoints [Added]
T4264: Validate and reject malicious requests before processing them [Added]
- P2268: Requests with excessively large or corrupted data [Added]
T4265: Implement strong authentication and require authorization for all API requests [Added]
- P2269: Weak authentication of API requests [Added]
T4266: Require TLS encryption for API gateway connections [Added]
- P2270: Unencrypted communication with an API server [Added]
T4267: Log API activity and monitor for security events [Added]
- P2271: Insufficient logging of API activity [Added]
T4268: Store pipeline secrets in AWS Secrets Manager (AWS CodePipeline) [Added]
- P2272: Hard-coded secrets in CodePipeline configuration (AWS CodePipeline) [Added]
T4269: Use a CMK for encryption when required (AWS CodePipeline) [Added]
- P2273: Using the default encryption configuration for AWS CodePipeline artifacts (AWS CodePipeline) [Added]
T4270: Run the automation server on a dedicated EC2 instance (AWS CodePipeline) [Added]
- P2274: Insecure hosting for automation servers like Jenkins (AWS CodePipeline) [Added]
T4271: Use the correct type of endpoint for your use case (Azure SQL MI) [Added]
- P2275: Insufficient network protection (Azure SQL MI) [Added]
T4272: Use Microsoft Entra ID for database authentication (Azure SQL MI) [Added]
- P2276: Weak authentication for database users (Azure SQL MI) [Added]
T4273: Enable Transparent Data Encryption (Azure SQL MI) [Added]
- P2277: Unencrypted data at rest (Azure SQL MI) [Added]
T4274: Consider using SQL Server's granular access control features (Azure SQL MI) [Added]
- P2278: Overly permissive access to sensitive data (Azure SQL MI) [Added]
T4275: Enable Advanced Threat Detection in Microsoft Defender for SQL (Azure SQL MI) [Added]
- P2279: Failure to monitor for database attacks (Azure SQL MI) [Added]
T4276: Use routing rules to require authentication (Azure Static Web Apps) [Added]
- P2280: Anonymous access to Azure Static Web Apps (Azure Static Web Apps) [Added]
T4277: Implement role-based authorization (Azure Static Web Apps) [Added]
- P2281: Insufficient authorization controls for signed-in users (Azure Static Web Apps) [Added]
T4278: Do not use a visitor password to protect sensitive data or features (Azure Static Web Apps) [Added]
- P2282: Improper use of the password protection feature (Azure Static Web Apps) [Added]
T4279: Include Azure data removal links in your privacy policy (Azure Static Web Apps) [Added]
- P2283: Failure to inform the user how to remove consent (Azure Static Web Apps) [Added]
T4280: Enable Application Insights for API monitoring (Azure Static Web Apps) [Added]
- P2284: Insufficient monitoring of API activity (Azure Static Web Apps) [Added]
T4281: Run Podman containers as a non-root user (Podman) [Added]
- P2285: Containers with root privileges on the host system (Podman) [Added]
T4282: Configure Podman to require signed images from a trusted registry (Podman) [Added]
- P2286: Supply chain attacks against container images (Podman) [Added]
T4283: Use minimal images that have been hardened for security (Podman) [Added]
- P2287: Expanded attack surface from large and full-featured images (Podman) [Added]
T4284: Enable Podman log auditing (Podman) [Added]
- P2288: Lack of visibility for container actions (Podman) [Added]
T4285: Customize the Podman seccomp profile as needed (Podman) [Added]
- P2289: Running Podman with an overly permissive seccomp profile (Podman) [Added]
T4286: Limit automatic restarts and resource usage (Podman) [Added]
- P2290: Denial of service events from container failures (Podman) [Added]
T4287: Make container file systems read-only (Podman) [Added]
- P2291: Containers with writeable file systems (Podman) [Added]
T4288: Limit container access to networking (Podman) [Added]
- P2292: Containers with insufficient network protections (Podman) [Added]
T4289: Use MFA and set strict password policies (Salesforce) [Added]
- P2293: Weak authentication practices (Salesforce) [Added]
T4290: Configure trusted and restricted IP ranges (Salesforce) [Added]
- P2294: Access from untrusted locations (Salesforce) [Added]
T4291: Harden session configuration settings (Salesforce) [Added]
- P2295: Insufficient protection against session hijacking (Salesforce) [Added]
T4292: Grant least privilege access to Salesforce users (Salesforce) [Added]
- P2296: Excessive permissions for Salesforce users (Salesforce) [Added]
T4293: Monitor Salesforce system activity and configure alerts (Salesforce) [Added]
- P2297: Failure to monitor Salesforce activity (Salesforce) [Added]
T4294: Configure a Field Audit Trail policy for sensitive and critical data (Salesforce) [Added]
- P2298: Lack of change history for data fields (Salesforce) [Added]
T4295: Protect sensitive fields with Platform Encryption (Salesforce) [Added]
- P2299: Unencrypted data at rest (Salesforce) [Added]
T4296: Schedule regular backups to protect availability (Salesforce) [Added]
- P2300: Failure to safeguard against data loss (Salesforce) [Added]
T4297: Sanitize untrusted content (Salesforce) [Added]
- P2301: Malicious content injection (Salesforce) [Added]
T4298: Use the latest versions of Vertex AI containers and VM images (Vertex AI) [Added]
- P2302: Out of date software for Vertex AI containers (Vertex AI) [Added]
T4299: Schedule regular monitoring jobs with Vertex AI Model Monitoring (Vertex AI) [Added]
- P2303: Failure to monitor a deployed model (Vertex AI) [Added]
T4300: Conside using customer-managed encryption keys (CMEKs) (Vertex AI) [Added]
- P2304: Lack of control with service-managed encryption keys (Vertex AI) [Added]
T4301: Anonymize sensitive data so it is not visible in the analytics environment (Azure) [Added]
- P2305: Insufficient privacy of data in analytics workloads (Azure) [Added]
T4302: Enable data exfiltration protection for Azure Synapse Analytics workspaces with sensitive data (Azure) [Added]
- P2306: Data exfiltration from analytics workloads (Azure) [Added]
T4303: Ensure all types of data are reviewed and classified (Azure) [Added]
- P2307: Insufficient data classification and data controls (Azure) [Added]
T4304: Isolate application workloads according to security requirements (Azure) [Added]
- P2308: Insufficient isolation of application workloads (Azure) [Added]
T4305: Ensure compute services have sufficient resources (Azure) [Added]
- P2309: Denial of service attacks against application workloads (Azure) [Added]
T4306: Monitor application workloads and patch vulnerabilities (Azure) [Added]
- P2310: Undetected vulnerabilities in application workloads (Azure) [Added]
T4307: Deploy application environments through automation (Azure) [Added]
- P2311: Manual application management processes (Azure) [Added]
T4308: Use trusted container images (Azure) [Added]
- P2312: Vulnerable container images (Azure) [Added]
T4309: Protect images against supply chain attacks (Azure) [Added]
- P2313: Supply chain attacks that target container images (Azure) [Added]
T4310: Run containers with a least privilege identity (Azure) [Added]
- P2314: Containers with excessive privileges (Azure) [Added]
T4311: Periodically rescan container images (Azure) [Added]
- P2315: Undetected vulnerabilities in deployed container images (Azure) [Added]
T4312: Monitor container workloads (Azure) [Added]
- P2316: Insufficient monitoring of container workloads (Azure) [Added]
T4313: Use Entra ID authentication for databases if supported (Azure) [Added]
- P2317: Weaknesses in credential management (Azure) [Added]
T4314: Create dedicated database user accounts with minimum privileges (Azure) [Added]
- P2318: Excessive permissions for database user accounts (Azure) [Added]
T4315: Use at-rest encryption and consider using a CMK (Azure) [Added]
- P2319: Unencrypted data at rest (Azure) [Added]
T4316: Schedule regular database backups to protect availability (Azure) [Added]
- P2320: Failure to safeguard against data loss in databases (Azure) [Added]
T4317: Monitor security events and consider audit logging (Azure) [Added]
- P2321: Failure to monitor database activity (Azure) [Added]
T4318: Protect secrets in the development environment (Azure) [Added]
- P2322: Insufficient protection of development secrets (Azure) [Added]
T4319: Give developers least privilege access to the development environment (Azure) [Added]
- P2323: Excessive permissions in the development environment (Azure) [Added]
T4320: Log activity in the development environment (Azure) [Added]
- P2324: Insufficient monitoring of development activity and CI/CD processes (Azure) [Added]
T4321: Use a centralized artifact store to manage dependencies (Azure) [Added]
- P2325: Vulnerable or malicious application dependencies (Azure) [Added]
T4322: Deploy software using automated processes (Azure) [Added]
- P2326: Poor dependency management with manual deployment (Azure) [Added]
T4323: Sign custom code and verify signatures (Azure) [Added]
- P2327: Failure to guarantee code integrity (Azure) [Added]
T4324: Integrate application security testing into the CI/CD pipeline (Azure) [Added]
- P2328: Failure to detect vulnerable code (Azure) [Added]
T4325: Implement best practices for hybrid networks (Azure) [Added]
- P2329: Weak security controls for hybrid networks (Azure) [Added]
T4326: Use automated processes to keep people away from data (Azure) [Added]
- P2330: Manual management processes with insufficient security controls (Azure) [Added]
T4327: Use Azure Policy to enforce a consistent security baseline (Azure) [Added]
- P2331: Lack of controls to enforce security policy in complex environments (Azure) [Added]
T4328: Follow best practices for logging and monitoring (Azure) [Added]
- P2332: Insecure or insufficient monitoring (Azure) [Added]
T4329: Vet data and monitor models according to best practices (Azure) [Added]
- P2333: Data poisoning attacks (Azure) [Added]
T4330: Vet training data sets for sensitive data and sanitize them (Azure) [Added]
- P2334: Exposure of sensitive or confidential data (Azure) [Added]
T4331: Use Azure AI Content Safety (Azure) [Added]
- P2335: Offensive content or prompt injection attacks (Azure) [Added]
T4332: Isolate ML workloads (Azure) [Added]
- P2336: Unecessary exposure of ML environments (Azure) [Added]
T4333: Review the Azure Responsible AI Standard and ensure your application is in compliance (Azure) [Added]
- P2337: Failure to meet the Azure Responsible AI Standard (Azure) [Added]
T4334: Segment your network and implement security controls between zones (Azure) [Added]
- P2338: Insufficient network isolation in an Azure environment (Azure) [Added]
T4335: Deploy Azure Firewall at the network perimeter (Azure) [Added]
- P2339: Failure to secure the network perimeter (Azure) [Added]
T4336: Put public endpoints behind a load balancer (Azure) [Added]
- P2340: Failure to protect public endpoints (Azure) [Added]
T4337: Harden VNets against denial of service attacks (Azure) [Added]
- P2341: Denial of service attacks against networks and public endpoints (Azure) [Added]
T4338: Follow best practices for key management and monitoring (Azure) [Added]
- P2342: Insecure key management (Azure) [Added]
T4339: Ensure security events trigger notifications and responses (Azure) [Added]
- P2343: Insufficient monitoring of security events (Azure) [Added]
T4340: Conduct regular security audits (Azure) [Added]
- P2344: Failing to follow business security policy (Azure) [Added]
T4341: Use role assignment conditions for fine-grained security in complex environments (Azure) [Added]
- P2345: Inflexible IAM policies for large and dynamic systems (Azure) [Added]
T4342: Implement access controls based on the sensitivity and criticality of data (Azure) [Added]
- P2346: Insufficient data access controls (Azure) [Added]
T4343: Enable Microsoft Defender for Storage to detect anomalous activity (Azure) [Added]
- P2347: Failure to monitor storage access and exfiltration (Azure) [Added]
T4344: Schedule regular backups (Azure) [Added]
- P2348: Failure to safeguard against data loss in storage (Azure) [Added]
T4345: Implement a centralized artifact store in AWS CodePipeline [Added]
- P2350: Inconsistent and unsecured management of software dependencies [Added]
T4346: Integrate SAST and SCA Tools into AWS CodePipeline [Added]
- P2351: Undetected security vulnerabilities in source code and third-party dependencies [Added]
T4347: Implement fine-grained IAM policies for AWS CodePipeline [Added]
- P2352: Over-Permissioning in AWS CodePipeline [Added]
T4348: Enable and configure AWS CloudTrail for CodePipeline [Added]
- P2353: Lack of Visibility and Auditing in AWS CodePipeline [Added]
T4349: Enable IAM Authentication for AWS ElastiCache for Redis (AWS ElastiCache) [Added]
- P2354: Credential Exposure and Management Risks (AWS ElastiCache) [Added]
T4350: Implement Dedicated IAM Roles for ElastiCache Access (AWS ElastiCache) [Added]
- P2355: Over-privileged Access (AWS ElastiCache) [Added]
T4351: Enable At-Rest Encryption for AWS ElastiCache (AWS ElastiCache) [Added]
- P2356: Unauthorized Data Access (AWS ElastiCache) [Added]
T4352: Enable and Configure Scheduled Backups for AWS ElastiCache for Redis (AWS ElastiCache) [Added]
- P2357: Data Loss Due to Failures or Disasters (AWS ElastiCache) [Added]
T4353: Enhance Monitoring and Logging for AWS ElastiCache (AWS ElastiCache) [Added]
- P2358: Lack of database monitoring and logging (AWS ElastiCache) [Added]
T4354: Securely Manage Secrets in CI/CD Pipelines (CircleCI) [Added]
- P2359: Insecure Secrets Management in CI/CD Pipelines [Added]
T4355: Isolate and Encrypt Sensitive Files (CircleCI) [Added]
- P2360: Insecure Storage of Sensitive Files [Added]
T4356: Secure Handling of Secrets in CI/CD Pipelines for Forked Pull Requests (CircleCI) [Added]
- P2361: Insecure Handling of Secrets in CI/CD Pipelines for Forked Pull Requests (CircleCI) [Added]
T4357: Use Trufflehog and GitLeaks to Scan for Exposed Secrets in Git History (CircleCI) [Added]
- P2362: Lack of Automated Detection of Exposed Secrets [Added]
T4358: Implement Static and Dynamic Application Security Testing (CircleCI) [Added]
- P2363: Lack of Static and Dynamic Application Security Testing [Added]
T4359: Automate Compliance Checks in CI Pipelines (CircleCI) [Added]
- P2364: Lack of Regulatory Compliance in Software Development [Added]
T4360: Conduct reviews and improvement of the SDL process [Added]
- P2349: Lack of periodic analysis of security processes [Added]
T4361: Periodically review security requirements [Added]
T4362: Document and apply secure design best practices [Added]
T4363: Review user manuals for errors and omissions [Added]
T4364: Validate that review and improvement of the SDL process is conducted [Added]
- P2349: Lack of periodic analysis of security processes [Added]
T4365: Verify that security requirements are periodically reviewed [Added]
T4366: Verify that secure design best practices are documented and applied [Added]
T4367: Verify that user manuals are reviewed for errors and omissions [Added]
T4368: Implement Rigorous Package Vetting Before Addition (AWS CodeArtifact) [Added]
- P2365: Dependency Substitution (AWS CodeArtifact) [Added]
T4369: Implement Automated Deployment Processes (AWS CodeArtifact) [Added]
- P2366: Human Error in Deployment (AWS CodeArtifact) [Added]
T4370: Integrate Security Testing Tools (AWS CodeArtifact) [Added]
- P2367: Vulnerabilities in Software Artifacts (AWS CodeArtifact) [Added]
T4371: Implement Least Privilege Access (AWS CodeArtifact) [Added]
- P2368: Excessive Developer Permissions (AWS CodeArtifact) [Added]
T4372: Enable and Configure AWS CloudTrail (AWS CodeArtifact) [Added]
- P2369: Unauthorized Access and Modification Risks (AWS CodeArtifact) [Added]
T4373: Ensure compliance before marketing digital products (EU CRA) [Added]
- P2370: Non-compliance with regulatory standards (EU CRA) [Added]
T4374: Determine if your product is subject to conformity assessment procedures (EU CRA) [Added]
- P2371: Lack of clear product categorization (EU CRA) [Added]
T4375: Enhance skills for a cyber resilient digital environment (EU CRA) [Added]
- P2372: Skill gaps and knowledge deficiencies (EU CRA) [Added]
T4376: Implement cybersecurity measures for digital product (EU CRA) [Added]
- P2373: Lack of implementing cybersecurity measures for digital products (EU CRA) [Added]
T4377: Delivery with secure by default configuration with ability to reset to original state (EU CRA) [Added]
- P2374: Insecure default configurations (EU CRA) [Added]
T4378: Implement network connection limits and exception handling (EU CRA) [Added]
- P2375: Network saturation and overload (EU CRA) [Added]
T4379: Implement Defense in Depth Principles (EU CRA) [Added]
- P2376: Lack of implementing Defense-in-Depth principles (EU CRA) [Added]
T4380: Implement automatic security updates and notifications in your product (EU CRA) [Added]
- P2377: Lack of automatic security updates and notifications (EU CRA) [Added]
- TA6894: Ensure long-term security updates availability [Added]
T4381: Provide proper identification and information for your product (EU CRA) [Added]
- P2378: Untraceable products (EU CRA) [Added]
T4382: Coordinate with authorities (EU CRA) [Added]
- P2379: Lack of accountability and traceability in cybersecurity compliance (EU CRA) [Added]
T4383: Ensure timely reporting of cyber vulnerabilities and incidents (EU CRA) [Added]
- P2380: Delayed or insufficient communication regarding cybersecurity threats (EU CRA) [Added]
T4384: Implement and maintain cybersecurity measures for open-source software development (EU CRA) [Added]
- P2381: Insufficient cybersecurity governance and coordination in open-source projects (EU CRA) [Added]
T4385: Craft and maintain the EU Declaration of Conformity (EU CRA) [Added]
- P2382: Inadequate documentation and formal assurance of compliance with EU cybersecurity standards (EU CRA) [Added]
T4386: Ensure proper CE marking (EU CRA) [Added]
- P2383: Lack of CE marking (EU CRA) [Added]
T4387: Prepare and update technical documentation for your product (EU CRA) [Added]
- P2384: Lack of proper technical documentation (EU CRA) [Added]
T4388: Implement conformity assessments for digital products based on risk classification (EU CRA) [Added]
- P2385: Lack of conformity assessments for digital products (EU CRA) [Added]
T4433: Prevent path environment attacks (Bash/Shell) [Added]
- P2404: Lack of inputs and environment verification (Bash/Shell) [Added]
T4434: Prevent injection attacks (Bash/Shell) [Added]
- P2404: Lack of inputs and environment verification (Bash/Shell) [Added]
T4435: Prevent path traversal and file path manipulation (Bash/Shell) [Added]
- P2404: Lack of inputs and environment verification (Bash/Shell) [Added]
- I1896: Restrict Directories [Added]
T4436: Protect directory writing and reading (Bash/Shell) [Added]
- P2405: Lack of directory writing and reading protection (Bash/Shell) [Added]
T4437: Prevent input file attacks (Bash/Shell) [Added]
- P2406: Lack of input file protection (Bash/Shell) [Added]
T4438: Prevent file upload vulnerabilities (Bash/Shell) [Added]
- P2407: Lack of file upload protection (Bash/Shell) [Added]
- I1897: Restrict File Types [Added]
- I1898: Validate File Content [Added]
T4439: Prevent authentication attacks (Bash/Shell) [Added]
- P2408: Lack of protection against authentication attacks (Bash/Shell) [Added]
- I1899: Use Secure Password Storage [Added]
- I1900: Implement Password Hashing and Salting [Added]
- I1901: Enforce Strong Password Policies [Added]
- I1902: Implement Rate Limiting [Added]
T4440: Enforce access controls (Bash/Shell) [Added]
- P2409: Lack of permissions and access controls (Bash/Shell) [Added]
- I1903: Use Access Control Lists (ACLs) [Added]
T4441: Prevent attacks related to environmental vulnerabilities (Bash/Shell) [Added]
- P2410: Lack of protection against environmental vulnerabilities (Bash/Shell) [Added]
T4442: Manage and protect script processes (Bash/Shell) [Added]
- P2411: Lack of protection against script process vulnerabilities (Bash/Shell) [Added]
T4443: Prevent cryptographic failures (Bash/Shell) [Added]
- P2412: Cryptography failures (Bash/Shell) [Added]
T4444: Test prevention of path environment attacks (Bash/Shell) [Added]
- P2404: Lack of inputs and environment verification (Bash/Shell) [Added]
T4445: Test prevention of injection attacks (Bash/Shell) [Added]
- P2404: Lack of inputs and environment verification (Bash/Shell) [Added]
T4446: Test prevention of path traversal and file path manipulation (Bash/Shell) [Added]
- P2404: Lack of inputs and environment verification (Bash/Shell) [Added]
T4447: Test directory writing and reading (Bash/Shell) [Added]
- P2405: Lack of directory writing and reading protection (Bash/Shell) [Added]
T4448: Test prevention against input file attacks (Bash/Shell) [Added]
- P2406: Lack of input file protection (Bash/Shell) [Added]
T4449: Test prevention of file upload vulnerabilities (Bash/Shell) [Added]
- P2407: Lack of file upload protection (Bash/Shell) [Added]
T4450: Test authentication (Bash/Shell) [Added]
- P2408: Lack of protection against authentication attacks (Bash/Shell) [Added]
T4451: Test access controls (Bash/Shell) [Added]
- P2409: Lack of permissions and access controls (Bash/Shell) [Added]
T4452: Test environmental vulnerabilities (Bash/Shell) [Added]
- P2410: Lack of protection against environmental vulnerabilities (Bash/Shell) [Added]
T4453: Test protection of script processes (Bash/Shell) [Added]
- P2411: Lack of protection against script process vulnerabilities (Bash/Shell) [Added]
T4454: Test cryptographic functions (Bash/Shell) [Added]
- P2412: Cryptography failures (Bash/Shell) [Added]
T4455: Prevent prompt injection in Large Language Models (Project Manager) [Added]
- TA6944: Conduct scenario-based prompt injection simulations [Added]
T4456: Prevent prompt injection in Large Language Models (MLOps Engineer) [Added]
- TA6945: Implement continuous monitoring and alerting systems [Added]
T4457: Prevent prompt injection in Large Language Models (AI/ML Developer) [Added]
- TA6946: Develop input sanitization and verification modules [Added]
T4458: Prevent prompt injection in Large Language Models (Data Scientist) [Added]
- TA6947: Develop and validate secure function libraries [Added]
T4459: Prevent prompt injection in Large Language Models (QA Analyst) [Added]
- TA6948: Design and execute prompt injection attack test cases [Added]
T4460: Handle insecure output in Large Language Models (AI/ML Developer) [Added]
- TA6949: Develop output sanitization and validation pipelines [Added]
T4461: Handle insecure output in Large Language Models (MLOps Engineer) [Added]
- TA6950: Implement secure output handling frameworks [Added]
T4462: Prevent training data poisoning in Large Language Models (Project Manager) [Added]
- TA6910: Implement continuous monitoring and anomaly detection [Added]
T4463: Prevent training data poisoning in Large Language Models (MLOps Engineer) [Added]
- TA6911: Develop data auditing and validation pipelines [Added]
T4464: Prevent training data poisoning in Large Language Models (Data Scientist) [Added]
- TA6912: Design data preprocessing and cleaning framework [Added]
T4465: Prevent training data poisoning in Large Language Models (AI/ML Developer) [Added]
- TA6913: Implement multi-stage model validation and evaluation [Added]
T4466: Prevent Large Language Model denial of service (Project Manager) [Added]
- TA6914: Establish incident response and mitigation protocols [Added]
- TA6951: Establish incident response and mitigation protocols [Added]
T4467: Prevent Large Language Model denial of service (MLOps Engineer) [Added]
- TA6915: Implement resource allocation monitoring and throttling mechanisms [Added]
- TA6952: Implement adaptive resource management and rate limiting [Added]
T4468: Prevent Large Language Models denial of service (AI/ML Developer) [Added]
- TA6916: Develop scalable input handling and load management strategies [Added]
- TA6953: Design context-aware input filtering and constraints [Added]
T4469: Prevent Large Language Model denial of service (QA Analyst) [Added]
- TA6917: Develop comprehensive test scenarios for stress testing [Added]
- TA6954: Develop comprehensive resource utilization test scenarios [Added]
T4470: Protect Large Language Models against supply chain vulnerabilities (Project Manager) [Added]
- TA6896: Implement real-time activity monitoring [Added]
T4471: Protect Large Language Models against supply chain vulnerabilities (MLOps Engineer) [Added]
- TA6897: Implement automated integrity checks and provenance tracking [Added]
T4472: Protect Large Language Models against supply chain vulnerabilities (AI/ML Developer) [Added]
- TA6898: Implement dependency and provenance tracking [Added]
T4473: Protect Large Language Models against supply chain vulnerabilities (Data Scientist) [Added]
- TA6899: Implement data validation and monitoring mechanisms [Added]
T4474: Prevent sensitive information disclosure in Large Language Models (Project Manager) [Added]
- TA6900: Implement continuous data sanitization and monitoring protocols [Added]
- TA6931: Enforce data handling policies for vector databases [Added]
T4475: Prevent sensitive information disclosure in Large Language Models (MLOps Engineer) [Added]
- TA6901: Implement secure data ingestion and access controls [Added]
- TA6932: Implement strict access controls for vector databases [Added]
T4476: Prevent sensitive information disclosure in Large Language Models (AI/ML Developer) [Added]
- TA6902: Develop data sanitization algorithms [Added]
- TA6933: Sanitize data ingestion for vector databases [Added]
T4477: Prevent sensitive information disclosure in Large Language Models (Data Scientist) [Added]
- TA6903: Develop techniques for differential privacy and anonymization [Added]
- TA6934: Design data scrubbing protocols for vector databases [Added]
T4478: Design secure plugins for Large Language Models (Project Manager) [Added]
- TA6955: Establish secure plugin integration protocols [Added]
T4479: Design secure plugins for Large Language Models (AI/ML Developer) [Added]
- TA6956: Implement parameterized input and safeguards [Added]
T4480: Design secure plugins for Large Language Models (MLOps Engineer) [Added]
- TA6957: Implement secure authorization and tracing protocols [Added]
T4481: Design secure plugins for Large Language Models (QA Analyst) [Added]
- TA6958: Develop test scenarios for manual authorization workflow [Added]
T4482: Mitigate excessive agency in Large Language Models (Project Manager) [Added]
- TA6959: Implement human-in-the-loop review protocols [Added]
T4483: Mitigate excessive agency in Large Language Models (MLOps Engineer) [Added]
- TA6960: Implement permission management and activity monitoring systems [Added]
T4484: Mitigate excessive agency in Large Language Models (AI/ML Developer) [Added]
- TA6961: Develop plugins with granular and restricted functionality [Added]
T4485: Mitigate excessive agency in Large Language Models (QA Analyst) [Added]
- TA6962: Validate user authorization and security scope compliance [Added]
T4486: Mitigate overreliance in Large Language Models (Project Manager) [Added]
T4487: Mitigate overreliance in Large Language Models (MLOps Engineer) [Added]
- TA6918: Implement multi-factor model verification and cross-validation procedures [Added]
T4488: Mitigate overreliance in Large Language Models (AI/ML Developer) [Added]
- TA6919: Develop response validation and consistency filtering systems [Added]
T4489: Mitigate overreliance in Large Language Models (Data Scientist) [Added]
- TA6920: Design and implement cross-verification frameworks and task modularization [Added]
T4490: Mitigate overreliance in Large Language Models (QA Analyst) [Added]
- TA6921: Develop comprehensive testing protocols for user interfaces and API [Added]
T4491: Prevent model theft in Large Language Models (Project Manager) [Added]
- TA6926: Implement vector database access protocols [Added]
T4492: Prevent model theft in Large Language Models (MLOps Engineer) [Added]
- TA6927: Implement vector database security measures [Added]
T4493: Prevent model theft in Large Language Models (AI/ML Developer) [Added]
- TA6928: Develop anomaly detection for vector database queries [Added]
T4494: Prevent model theft in Large Language Models (Data Scientist) [Added]
- TA6929: Strengthen physical security for vector database infrastructure [Added]
T4495: Prevent model theft in Large Language Models (QA Analyst) [Added]
- TA6930: Audit vector database access logs and activities [Added]
T4496: Protect ML models against input manipulation attacks (MLOps Engineer) [Added]
- TA6904: Integrate real-time threat detection and response systems [Added]
T4497: Protect ML models against input manipulation attacks (AI/ML Developer) [Added]
- TA6905: Develop defense mechanisms for adversarial robustness [Added]
T4498: Protect ML models against input manipulation attacks (QA Analyst) [Added]
- TA6906: Design comprehensive adversarial testing protocols [Added]
T4499: Protect ML models against data poisoning and skewing attacks (Project Manager) [Added]
- TA6922: Establish proactive data integrity and security protocols [Added]
T4500: Protect ML models against data poisoning and skewing attacks (MLOps Engineer) [Added]
- TA6923: Integrate advanced security measures and access management systems [Added]
T4501: Protect ML models against data poisoning and skewing attacks (AI/ML Developer) [Added]
- TA6924: Develop multi-model ensemble and performance monitoring frameworks [Added]
T4502: Protect ML models against data poisoning and skewing attacks (Data Scientist) [Added]
- TA6925: Develop data validation and resilient training techniques [Added]
T4503: Protect ML models against inversion attacks (Project Manager) [Added]
- TA6940: Enhance model transparency and monitoring for vector database queries [Added]
T4504: Protect ML models against inversion attacks (MLOps Engineer) [Added]
- TA6941: Secure access and regularly update vector databases [Added]
T4505: Protect ML models against inversion attacks (AI/ML Developer) [Added]
- TA6942: Validate input data and apply secure feature extraction for vector databases [Added]
T4506: Protect ML models against inversion attacks (QA Analyst) [Added]
- TA6943: Monitor anomalies and validate distributions for vector database queries [Added]
T4507: Prevent sensitive data exposure in ML models (Project Manager) [Added]
- TA6935: Implement regular audits for vector database compliance [Added]
T4508: Prevent sensitive data exposure in ML models (MLOps Engineer) [Added]
- TA6936: Enhance data encryption and access control for vector databases [Added]
T4509: Prevent sensitive data exposure in ML models (AI/ML Developer) [Added]
- TA6937: Implement privacy-preserving techniques for vector databases [Added]
T4510: Prevent sensitive data exposure in ML models (Data Scientist) [Added]
- TA6938: Anonymize data and implement advanced privacy techniques for vector databases [Added]
T4511: Prevent sensitive data exposure in ML models (QA Analyst) [Added]
- TA6939: Perform output monitoring and anomaly detection for vector database queries [Added]
T4512: Protect ML models against theft (Project Manager) [Added]
T4513: Protect ML models against theft (MLOps Engineer) [Added]
T4514: Protect ML models against theft (AI/ML Developer) [Added]
T4515: Protect ML models against theft (QA Analyst) [Added]
T4516: Protect ML models against supply chain attacks (Project Manager) [Added]
T4517: Protect ML models against supply chain attacks (MLOps Engineer) [Added]
T4518: Protect ML models against supply chain attacks (QA Analyst) [Added]
T4519: Protect ML models against poisoning attacks (Project Manager) [Added]
- TA6907: Establish comprehensive data verification and source management [Added]
T4520: Protect ML models against poisoning attacks (MLOps Engineer) [Added]
- TA6908: Enforce environment segmentation and secure deployment [Added]
T4521: Protect ML models against poisoning attacks (AI/ML Developer) [Added]
- TA6909: Implement regularization and encryption techniques [Added]
Changes to Project Properties and Profiles
- Q195: Language and Framework
  - Q109: Programming Language
    - A1621: Bash/Shell [Added]
- Q237: Compliance Scope: Other
  - Q374: In scope for UK PSTI [Added]
    - A1595: Yes [Added]
  - Q378: In-Scope for EU Cyber Resilience Act [Added]
    - A1609: Yes [Added]
    - A1610: Open-source software steward [Added]
- Q243: Internal Hidden Properties
  - Q189: Internal Properties (Use this, for all hidden answers)
    - A1586: GCP Blockchain (hidden) [Added]
    - A1587: GCP Business Applications (hidden) [Added]
- Q249: Industrial Control Systems
  - Q250: In-Scope for ANSI/ISA 62443 or CSA/SSA-311
    - A1374: ANSI/ISA 62443-4-1 or SDLA 312 [Updated]
      - INFO: Updated the children.
- Q262: External Dependencies
  - Q263: Software Updates
    - Q373: Customer relationship management (CRM) [Added]
      - A1594: Uses Salesforce CRM [Added]
- Q271: Interfaces and APIs
  - Q270: Interfaces and APIs Provided
    - A1593: Uses API gateway for providing web APIs [Added]
- Q284: Context and Characteristics
  - Q252: Application's Context and Characteristics
    - Q376: AI/ML Usecases [Added]
      - A1622: Fine-tuning [Added]
      - A1623: Prompt engineering [Added]
      - A1624: Retrieval augmented generation [Added]
      - A1625: Vector databases [Added]
  - Q124: Payment Service Provider [Updated]
    - INFO: Updated the parent.
  - Q165: Health Care Systems [Updated]
    - INFO: Updated the parent.
  - Q285: ICS [Updated]
    - INFO: Updated the parent.
  - Q295: Game Applications [Updated]
    - INFO: Updated the parent.
- Q299: General
  - Q375: CI/CD Tools [Added]
    - A1596: CircleCI [Added]
- Q307: Containerization
  - Q308: Containerization Technologies
    - A1591: Podman [Added]
- Q361: Amazon Web Services (AWS)
  - Q298: AWS Services
    - Q379: More AWS Services [Added]
      - A1165: AWS RDS [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1169: AWS S3 [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1170: AWS IAM [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1173: AWS SNS [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1177: AWS VPC [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1178: AWS KMS [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1179: AWS Route53 [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1226: AWS Lambda [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1227: AWS SQS [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1347: AWS Kinesis Data Streams [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1348: AWS Kinesis Data Firehose [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1349: AWS WAF [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1366: AWS SageMaker [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1380: AWS MSK [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1381: AWS MQ [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1382: AWS OpenSearch [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1383: AWS RedShift [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1384: AWS Secrets Manager [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1385: AWS SES [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1386: AWS Step Functions [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1387: AWS Systems Manager [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1388: AWS Transfer Family [Updated]
        
        INFO: Updated the text, question, and, children.
      - A1512: AWS S3 Glacier [Updated]
        
        INFO: Updated the question and children.
      - A1514: AWS Lake Formation [Updated]
        
        INFO: Updated the question and children.
      - A1597: AWS X-Ray [Added]
      - A1604: AWS GuardDuty [Added]
      - A1605: AWS Inspector [Added]
      - A1606: AWS Neptune [Added]
      - A1607: AWS Rekognition [Added]
    - A1166: AWS EBS [Updated]
      - INFO: Updated the text and children.
    - A1167: AWS AMI [Updated]
      - INFO: Updated the text and children.
    - A1168: AWS ELB [Updated]
      - INFO: Updated the text and children.
    - A1171: AWS EC2 [Updated]
      - INFO: Updated the text and children.
    - A1172: AWS Auto Scaling [Updated]
      - INFO: Updated the text and children.
    - A1174: AWS CloudWatch [Updated]
      - INFO: Updated the text and children.
    - A1175: AWS CloudFront [Updated]
      - INFO: Updated the text and children.
    - A1176: AWS Config [Updated]
      - INFO: Updated the text and children.
    - A1251: AWS Aurora [Updated]
      - INFO: Updated the text and children.
    - A1270: AWS ECS [Updated]
      - INFO: Updated the text and children.
    - A1271: AWS DynamoDB [Updated]
      - INFO: Updated the text and children.
    - A1331: AWS EKS [Updated]
      - INFO: Updated the text and children.
    - A1345: AWS API Gateway [Updated]
      - INFO: Updated the text and children.
    - A1346: AWS Cognito [Updated]
      - INFO: Updated the text and children.
    - A1375: AWS Certificate Manager [Updated]
      - INFO: Updated the text and children.
    - A1376: AWS CloudFormation [Updated]
      - INFO: Updated the text and children.
    - A1377: AWS ECR [Updated]
      - INFO: Updated the text and children.
    - A1378: AWS EFS [Updated]
      - INFO: Updated the text and children.
    - A1379: AWS ElastiCache [Updated]
      - INFO: Updated the text and children.
    - A1510: AWS App Mesh [Updated]
      - INFO: Updated the children.
    - A1511: AWS Bedrock [Updated]
      - INFO: Updated the children.
    - A1513: AWS Glue [Updated]
      - INFO: Updated the children.
    - A1588: AWS CodePipeline [Added]
    - A1598: AWS Athena [Added]
    - A1599: AWS Backup [Added]
    - A1600: AWS DataSync [Added]
    - A1601: AWS Direct Connect [Added]
    - A1602: AWS EventBridge [Added]
    - A1603: AWS Fargate [Added]
    - A1608: AWS CodeArtifact [Added]
- Q362: Microsoft Azure
  - Q306: Azure Services
    - Q370: More Azure Services
      - A1196: Azure Multi-Factor Authentication [Updated]
        
        INFO: Updated the text.
      - A1198: Azure Virtual Machines [Updated]
        
        INFO: Updated the text and children.
      - A1199: Azure Security Center [Updated]
        
        INFO: Updated the text and children.
      - A1200: Azure Storage [Updated]
        
        INFO: Updated the text and children.
      - A1201: Azure SQL Database [Updated]
        
        INFO: Updated the text and children.
      - A1202: Azure Virtual Network [Updated]
        
        INFO: Updated the text and children.
      - A1203: Azure Monitor [Updated]
        
        INFO: Updated the text and children.
      - A1206: Azure Resource Manager [Updated]
        
        INFO: Updated the text and children.
      - A1396: Azure Machine Learning [Updated]
        
        INFO: Updated the children.
      - A1397: Azure OpenAI Service [Updated]
        
        INFO: Updated the children.
      - A1402: Azure Stream Analytics [Updated]
        
        INFO: Updated the children.
      - A1403: Azure Synapse Analytics [Updated]
        
        INFO: Updated the children.
      - A1406: Azure Linux Virtual Machines [Updated]
        
        INFO: Updated the children.
      - A1407: Azure Spring Apps [Updated]
        
        INFO: Updated the children.
      - A1408: Azure Virtual Desktop [Updated]
        
        INFO: Updated the children.
      - A1409: Azure Virtual Machine Scale Sets [Updated]
        
        INFO: Updated the children.
      - A1410: Azure VMware Solution [Updated]
        
        INFO: Updated the children.
      - A1411: Azure Windows Virtual Machines [Updated]
        
        INFO: Updated the children.
      - A1415: Azure Red Hat OpenShift [Updated]
        
        INFO: Updated the children.
      - A1421: Azure Managed Instance for Apache Cassandra [Updated]
        
        INFO: Updated the children.
      - A1422: Azure SQL [Updated]
        
        INFO: Updated the children.
      - A1426: Azure Stack Edge [Updated]
        
        INFO: Updated the children.
      - A1430: Azure Logic Apps [Updated]
        
        INFO: Updated the children.
      - A1431: Azure Service Bus [Updated]
        
        INFO: Updated the children.
      - A1432: Azure Web PubSub [Updated]
        
        INFO: Updated the children.
      - A1435: Azure Notification Hubs [Updated]
        
        INFO: Updated the children.
      - A1439: Azure Lighthouse [Updated]
        
        INFO: Updated the children.
      - A1440: Azure Managed Applications [Updated]
        
        INFO: Updated the children.
      - A1441: Azure Policy [Updated]
        
        INFO: Updated the children.
      - A1442: Azure Purview [Updated]
        
        INFO: Updated the children.
      - A1443: Azure Resource Manager templates [Updated]
        
        INFO: Updated the children.
      - A1444: Azure Resource Mover [Updated]
        
        INFO: Updated the children.
      - A1445: Azure Media Services [Updated]
        
        INFO: Updated the children.
      - A1447: Azure Migrate [Updated]
        
        INFO: Updated the children.
      - A1448: Azure Site Recovery [Updated]
        
        INFO: Updated the children.
      - A1450: Azure Remote Rendering [Updated]
        
        INFO: Updated the children.
      - A1451: Azure Spatial Anchors [Updated]
        
        INFO: Updated the children.
      - A1461: Azure Load Balancer [Updated]
        
        INFO: Updated the children.
      - A1462: Azure NAT Gateway [Updated]
        
        INFO: Updated the children.
      - A1463: Azure Network Watcher [Updated]
        
        INFO: Updated the children.
      - A1464: Azure Private Link [Updated]
        
        INFO: Updated the children.
      - A1465: Azure Traffic Manager [Updated]
        
        INFO: Updated the children.
      - A1466: Azure Virtual WAN [Updated]
        
        INFO: Updated the children.
      - A1467: Azure VPN Gateway [Updated]
        
        INFO: Updated the children.
      - A1468: Azure Web Application Firewall [Updated]
        
        INFO: Updated the children.
      - A1469: Azure PostgreSQL Database [Updated]
        
        INFO: Updated the children.
      - A1475: Azure Sentinel [Updated]
        
        INFO: Updated the children.
      - A1480: Azure Managed Lustre [Updated]
        
        INFO: Updated the children.
      - A1481: Azure NetApp Files [Updated]
        
        INFO: Updated the children.
      - A1483: Azure SignalR Service [Updated]
        
        INFO: Updated the children.
      - A1589: Azure SQL Managed Instance [Added]
      - A1590: Azure Static Web Apps [Added]
    - A1197: Azure Active Directory [Updated]
      - INFO: Updated the text and children.
    - A1204: Azure Key Vault [Updated]
      - INFO: Updated the text, question, and, children.
    - A1210: Azure Functions [Updated]
      - INFO: Updated the children.
    - A1351: Azure AKS [Updated]
      - INFO: Updated the text and children.
    - A1394: Azure AI Bot Service [Updated]
      - INFO: Updated the children.
    - A1395: Azure Databricks [Updated]
      - INFO: Updated the children.
    - A1398: Azure Analysis Services [Updated]
      - INFO: Updated the children.
    - A1399: Azure Data Explorer [Updated]
      - INFO: Updated the children.
    - A1400: Azure Data Lake Analytics [Updated]
      - INFO: Updated the children.
    - A1401: Azure Event Hubs [Updated]
      - INFO: Updated the children.
    - A1404: Azure App Service [Updated]
      - INFO: Updated the children.
    - A1405: Azure Batch [Updated]
      - INFO: Updated the children.
    - A1412: Azure Container Apps [Updated]
      - INFO: Updated the children.
    - A1413: Azure Container Instances [Updated]
      - INFO: Updated the children.
    - A1414: Azure Container Registry [Updated]
      - INFO: Updated the children.
    - A1416: Azure Cache for Redis [Updated]
      - INFO: Updated the children.
    - A1417: Azure Cosmos DB [Updated]
      - INFO: Updated the children.
    - A1418: Azure Data Factory [Updated]
      - INFO: Updated the children.
    - A1419: Azure Database for MariaDB [Updated]
      - INFO: Updated the children.
    - A1420: Azure Database for MySQL [Updated]
      - INFO: Updated the children.
    - A1423: Azure App Configuration [Updated]
      - INFO: Updated the children.
    - A1424: Azure DevTest Labs [Updated]
      - INFO: Updated the children.
    - A1425: Azure Arc [Updated]
      - INFO: Updated the children.
    - A1427: Azure Active Directory External Identities [Updated]
      - INFO: Updated the children.
    - A1428: Azure API Management [Updated]
      - INFO: Updated the children.
    - A1429: Azure Event Grid [Updated]
      - INFO: Updated the children.
    - A1433: Azure IoT Central [Updated]
      - INFO: Updated the children.
    - A1434: Azure IoT Hub [Updated]
      - INFO: Updated the children.
    - A1436: Azure Automation [Updated]
      - INFO: Updated the children.
    - A1437: Azure Cloud Shell [Updated]
      - INFO: Updated the children.
    - A1438: Azure Cost Management [Updated]
      - INFO: Updated the children.
    - A1446: Azure Database Migration Service [Updated]
      - INFO: Updated the children.
    - A1449: Azure Digital Twins [Updated]
      - INFO: Updated the children.
    - A1452: Azure Application Gateway [Updated]
      - INFO: Updated the children.
    - A1453: Azure Bastion [Updated]
      - INFO: Updated the children.
    - A1454: Azure Communications Gateway [Updated]
      - INFO: Updated the children.
    - A1455: Azure Content Delivery Network [Updated]
      - INFO: Updated the children.
    - A1456: Azure DDoS Protection [Updated]
      - INFO: Updated the children.
    - A1457: Azure DNS [Updated]
      - INFO: Updated the children.
    - A1458: Azure Firewall [Updated]
      - INFO: Updated the children.
    - A1459: Azure Firewall Manager [Updated]
      - INFO: Updated the children.
    - A1460: Azure Front Door [Updated]
      - INFO: Updated the children.
    - A1470: Azure Attestation [Updated]
      - INFO: Updated the children.
    - A1471: Azure Dedicated HSM [Updated]
      - INFO: Updated the children.
    - A1472: Azure Defender for Cloud [Updated]
      - INFO: Updated the children.
    - A1473: Azure Information Protection [Updated]
      - INFO: Updated the children.
    - A1474: Azure Key Vault Managed HSM [Updated]
      - INFO: Updated the children.
    - A1476: Azure Backup [Updated]
      - INFO: Updated the children.
    - A1477: Azure Data Box [Updated]
      - INFO: Updated the children.
    - A1478: Azure Data Share [Updated]
      - INFO: Updated the children.
    - A1479: Azure HPC Cache [Updated]
      - INFO: Updated the children.
    - A1482: Azure Communication Services [Updated]
      - INFO: Updated the children.
    - A1536: Azure Blob Storage [Updated]
      - INFO: Updated the children.
    - A1537: Azure Data Lake Storage [Updated]
      - INFO: Updated the children.
- Q363: Google Cloud Platform (GCP)
  - Q309: Google Cloud Services
    - A1213: Google Kubernetes Engine [Updated]
      - INFO: Updated the text and children.
    - A1236: Google Cloud IAM [Updated]
      - INFO: Updated the text and children.
    - A1237: Google Compute Engine [Updated]
      - INFO: Updated the text and children.
    - A1238: Google Cloud Key Management Service [Updated]
      - INFO: Updated the text and children.
    - A1239: Google Virtual Private Cloud (VPC) [Updated]
      - INFO: Updated the text and children.
    - A1240: Google Cloud Storage [Updated]
      - INFO: Updated the text and children.
    - A1241: Google Cloud Audit Logs [Updated]
      - INFO: Updated the text and children.
    - A1242: Google Cloud DNS [Updated]
      - INFO: Updated the text and children.
    - A1243: Google Cloud SQL [Updated]
      - INFO: Updated the text and children.
    - A1244: Google Stackdriver [Updated]
      - INFO: Updated the text.
    - A1337: Google BigQuery [Updated]
      - INFO: Updated the text and children.
    - A1592: Google Vertex AI Platform [Added]
Added Components
- SC38: User
- SC755: GCP Resource Manager
- SC756: GCP Media CDN
- SC757: API Gateway
- SC758: Salesforce
- SC759: Podman
- SC760: Circle CI
- SC761: Blank Component
- SC762: Attacker
Deactivated Components
- SC82: Azure Storage
Updated Components
- SC2: Database Server
  - INFO: Updated the implied attributes.
- SC34: WebLogic
  - INFO: Updated the implied attributes.
- SC47: Hardware
  - INFO: Updated the answer mapping and implied attributes.
- SC76: Azure App Service
  - INFO: Updated the implied attributes.
- SC101: Project Characteristics
  - INFO: Updated the title and description.
- SC102: Azure PostgreSQL Database
  - INFO: Updated the implied attributes.
- SC112: AWS Environment
  - INFO: Updated the implied attributes.
- SC113: Azure Environment
  - INFO: Updated the implied attributes.
- SC114: GCP Environment
  - INFO: Updated the implied attributes.
- SC115: AWS Athena
  - INFO: Updated the answer mapping and implied attributes.
- SC124: AWS Glue
  - INFO: Updated the implied attributes.
- SC127: AWS Lake Formation
  - INFO: Updated the implied attributes.
- SC137: AWS EventBridge
  - INFO: Updated the answer mapping and implied attributes.
- SC165: AWS Fargate
  - INFO: Updated the answer mapping and implied attributes.
- SC182: AWS Neptune
  - INFO: Updated the answer mapping and implied attributes.
- SC190: AWS CodeArtifact
  - INFO: Updated the description, answer mapping, and, implied attributes.
- SC195: AWS CodePipeline
  - INFO: Updated the description, answer mapping, and, implied attributes.
- SC199: AWS X-Ray
  - INFO: Updated the answer mapping and implied attributes.
- SC225: AWS Bedrock
  - INFO: Updated the implied attributes.
- SC248: AWS Rekognition
  - INFO: Updated the answer mapping and implied attributes.
- SC283: AWS DataSync
  - INFO: Updated the answer mapping and implied attributes.
- SC288: AWS App Mesh
  - INFO: Updated the implied attributes.
- SC290: AWS Direct Connect
  - INFO: Updated the answer mapping and implied attributes.
- SC309: AWS GuardDuty
  - INFO: Updated the answer mapping and implied attributes.
- SC311: AWS Inspector
  - INFO: Updated the answer mapping and implied attributes.
- SC321: AWS S3 Glacier
  - INFO: Updated the implied attributes.
- SC322: AWS Backup
  - INFO: Updated the answer mapping and implied attributes.
- SC332: Azure AI Bot Service
  - INFO: Updated the implied attributes.
- SC346: Azure Databricks
  - INFO: Updated the implied attributes.
- SC350: Azure Machine Learning
  - INFO: Updated the implied attributes.
- SC352: Azure OpenAI Service
  - INFO: Updated the implied attributes.
- SC359: Azure Analysis Services
  - INFO: Updated the implied attributes.
- SC362: Azure Data Explorer
  - INFO: Updated the implied attributes.
- SC363: Azure Data Lake Analytics
  - INFO: Updated the implied attributes.
- SC364: Azure Event Hubs
  - INFO: Updated the implied attributes.
- SC371: Azure Stream Analytics
  - INFO: Updated the implied attributes.
- SC372: Azure Synapse Analytics
  - INFO: Updated the implied attributes.
- SC373: Azure Batch
  - INFO: Updated the implied attributes.
- SC377: Azure Linux Virtual Machines
  - INFO: Updated the implied attributes.
- SC381: Azure Spring Apps
  - INFO: Updated the implied attributes.
- SC382: Azure Virtual Desktop
  - INFO: Updated the implied attributes.
- SC383: Azure Virtual Machine Scale Sets
  - INFO: Updated the implied attributes.
- SC385: Azure VMware Solution
  - INFO: Updated the implied attributes.
- SC386: Azure Windows Virtual Machines
  - INFO: Updated the implied attributes.
- SC387: Azure Container Apps
  - INFO: Updated the implied attributes.
- SC388: Azure Container Instances
  - INFO: Updated the implied attributes.
- SC389: Azure Container Registry
  - INFO: Updated the implied attributes.
- SC392: Azure Red Hat OpenShift
  - INFO: Updated the implied attributes.
- SC394: Azure Cache for Redis
  - INFO: Updated the implied attributes.
- SC395: Azure Cosmos DB
  - INFO: Updated the implied attributes.
- SC396: Azure Data Factory
  - INFO: Updated the implied attributes.
- SC397: Azure Database for MariaDB
  - INFO: Updated the implied attributes.
- SC398: Azure Database for MySQL
  - INFO: Updated the implied attributes.
- SC399: Azure Managed Instance for Apache Cassandra
  - INFO: Updated the implied attributes.
- SC400: Azure SQL
  - INFO: Updated the implied attributes.
- SC402: Azure SQL Managed Instance
  - INFO: Updated the description, answer mapping, and, implied attributes.
- SC405: Azure App Configuration
  - INFO: Updated the implied attributes.
- SC417: Azure DevTest Labs
  - INFO: Updated the implied attributes.
- SC424: Azure Arc
  - INFO: Updated the implied attributes.
- SC430: Azure Stack Edge
  - INFO: Updated the implied attributes.
- SC433: Azure Active Directory External Identities
  - INFO: Updated the implied attributes.
- SC434: Azure API Management
  - INFO: Updated the implied attributes.
- SC437: Azure Event Grid
  - INFO: Updated the implied attributes.
- SC439: Azure Logic Apps
  - INFO: Updated the implied attributes.
- SC440: Azure Service Bus
  - INFO: Updated the implied attributes.
- SC441: Azure Web PubSub
  - INFO: Updated the implied attributes.
- SC443: Azure IoT Central
  - INFO: Updated the implied attributes.
- SC445: Azure IoT Hub
  - INFO: Updated the implied attributes.
- SC447: Azure Notification Hubs
  - INFO: Updated the implied attributes.
- SC455: Azure Automation
  - INFO: Updated the implied attributes.
- SC457: Azure Cloud Shell
  - INFO: Updated the implied attributes.
- SC459: Azure Cost Management
  - INFO: Updated the implied attributes.
- SC460: Azure Lighthouse
  - INFO: Updated the implied attributes.
- SC461: Azure Managed Applications
  - INFO: Updated the implied attributes.
- SC463: Azure Policy
  - INFO: Updated the implied attributes.
- SC465: Azure Purview
  - INFO: Updated the implied attributes.
- SC466: Azure Resource Manager templates
  - INFO: Updated the description and implied attributes.
- SC467: Azure Resource Mover
  - INFO: Updated the implied attributes.
- SC474: Azure Media Services
  - INFO: Updated the implied attributes.
- SC475: Azure Database Migration Service
  - INFO: Updated the implied attributes.
- SC476: Azure Migrate
  - INFO: Updated the implied attributes.
- SC477: Azure Site Recovery
  - INFO: Updated the implied attributes.
- SC478: Azure Digital Twins
  - INFO: Updated the implied attributes.
- SC481: Azure Remote Rendering
  - INFO: Updated the implied attributes.
- SC482: Azure Spatial Anchors
  - INFO: Updated the implied attributes.
- SC484: Azure Application Gateway
  - INFO: Updated the implied attributes.
- SC485: Azure Bastion
  - INFO: Updated the implied attributes.
- SC486: Azure Communications Gateway
  - INFO: Updated the implied attributes.
- SC487: Azure Content Delivery Network
  - INFO: Updated the implied attributes.
- SC488: Azure DDoS Protection
  - INFO: Updated the implied attributes.
- SC489: Azure DNS
  - INFO: Updated the implied attributes.
- SC491: Azure Firewall
  - INFO: Updated the implied attributes.
- SC492: Azure Firewall Manager
  - INFO: Updated the implied attributes.
- SC493: Azure Front Door
  - INFO: Updated the implied attributes.
- SC495: Azure Load Balancer
  - INFO: Updated the implied attributes.
- SC496: Azure NAT Gateway
  - INFO: Updated the implied attributes.
- SC498: Azure Network Watcher
  - INFO: Updated the implied attributes.
- SC502: Azure Private Link
  - INFO: Updated the implied attributes.
- SC505: Azure Traffic Manager
  - INFO: Updated the implied attributes.
- SC507: Azure Virtual WAN
  - INFO: Updated the implied attributes.
- SC508: Azure VPN Gateway
  - INFO: Updated the implied attributes.
- SC509: Azure Web Application Firewall
  - INFO: Updated the implied attributes.
- SC510: Azure Attestation
  - INFO: Updated the implied attributes.
- SC511: Azure Dedicated HSM
  - INFO: Updated the implied attributes.
- SC513: Azure Defender for Cloud
  - INFO: Updated the implied attributes.
- SC515: Azure Information Protection
  - INFO: Updated the implied attributes.
- SC516: Azure Key Vault Managed HSM
  - INFO: Updated the implied attributes.
- SC517: Azure Sentinel
  - INFO: Updated the implied attributes.
- SC521: Azure Backup
  - INFO: Updated the implied attributes.
- SC522: Azure Blob Storage
  - INFO: Updated the implied attributes.
- SC524: Azure Data Box
  - INFO: Updated the implied attributes.
- SC525: Azure Data Lake Storage
  - INFO: Updated the implied attributes.
- SC527: Azure Data Share
  - INFO: Updated the implied attributes.
- SC531: Azure HPC Cache
  - INFO: Updated the implied attributes.
- SC532: Azure Managed Lustre
  - INFO: Updated the implied attributes.
- SC533: Azure NetApp Files
  - INFO: Updated the implied attributes.
- SC535: Azure Storage Accounts
  - INFO: Updated the description, answer mapping, and, implied attributes.
- SC539: Azure Communication Services
  - INFO: Updated the implied attributes.
- SC542: Azure SignalR Service
  - INFO: Updated the implied attributes.
- SC543: Azure Static Web AppsAzure
  - INFO: Updated the description, answer mapping, and, implied attributes.
- SC554: GCP Vertex AI Platform
  - INFO: Updated the description, answer mapping, and, implied attributes.

2024.2

July 6, 2024

New features and enhancements

Library Weaknesses
- Added the following Library Weakness UI enhancements:
  - Improved content management user experience
  - Ability to copy an existing Weakness when creating a new one
  - Display when a Weakness was edited last and by whom
  - New applicability rule user experience when viewing, adding, or editing match conditions
  - New dedicated page for related Countermeasures of a Weakness
- Added the API capability to POST, PATCH and DELETE Weaknesses
Library Profiles
- The Library Profile page has been replaced with a new page that uses modern controls
Project Classifications
- Added the ability to create new classifications in addition to the five built-in options via the UI and API
- Added the ability to reorder project classifications via the API
- Added GET, POST, and PATCH for new project classifications
Team Onboarding
- Added a new getting started option to Scan a Repository within a Project
  - Added the ability to connect to GitHub within SD Elements via OAuth
  - Added the ability to select a Repo and Branch for an Authenticated GitHub connection to scan and answer the survey
  - This includes repo scan API features released June 8
Python 3.12 upgrade
- Container images now use Python 3.12
- Remote Integration Agent (RIA) now uses Python 3.12
  - Deprecated Python 3.8
  - Existing deployments of RIA should continue to work, but only Python 3.12 RIA downloads will be available

Content improvements summary

Updates

August 3, 2024

Scan a Repository
- Added the ability to select Scan a Repository from the Project Survey page
New Content Updates Available widget
- Added the ability to selectively accept pending Countermeasure changes

August 17, 2024

Update CWEs on Weaknesses
- Added the ability for a user to update the CWE mappings on a Weakness
- Added the ability for a user to revert CWE changes back to the latest content updates

Content improvements summary

EU AI Act
- This is the first regulatory framework aimed at ensuring the safety and fundamental rights of people and businesses while fostering the adoption of Artificial Intelligence (AI). Added 22 Countermeasures to cover related articles of the Act.
LLM-based Code Generation countermeasures
- Added three Countermeasures to cover the recommendations for the common use cases of code generation using AI.
ANSI/ISA 62443 4-1 (SDLA 312)
- Added a new compliance regulation for 62443 4-1 along with amendments and test amendments.
CWEs
- Updated the CWEs to v4.14.
AWS Services
- Added content for Certificate Manager, CloudFormation, Elastic Container Registry, Elastic File System, ElastiCache, Managed Streaming for Apache Kafka, MQ, OpenSearch Service, RedShift, Secrets Manager, Simple Email Service, Step Functions, Systems Manager, Transfer Family, App Mesh, Bedrock, S3 Glacier, Glue, and Lake Formation.
Azure Services
- Added content for Azure AI Bot Service, Azure Databricks, Azure Machine Learning, Azure OpenAI Service, Azure Analysis Services, Azure Data Explorer, Azure Data Lake Analytics, Azure Event Hubs, Azure Stream Analytics, Azure Synapse Analytics, Azure App Service, Azure Batch, Azure Linux Virtual Machines, Azure Spring Apps, Azure Virtual Desktop, Azure Virtual Machine Scale Sets, Azure VMware Solution, Azure Windows Virtual Machines, Azure Container Apps, Azure Container Instances, Azure Container Registry, Azure Red Hat OpenShift, Azure Cache for Redis, Azure Cosmos DB, Azure Data Factory, Azure Database for MariaDB, Azure Database for MySQL, Azure Managed Instance for Apache Cassandra, Azure SQL, Azure App Configuration, Azure DevTest Labs, Azure Arc, Azure Stack Edge, Azure Active Directory External Identities, Azure API Management, Azure Event Grid, Azure Logic Apps, Azure Service Bus, Azure Web PubSub, Azure IoT Central, Azure IoT Hub, Azure Notification Hubs, Azure Automation, Azure Cloud Shell, Azure Cost Management, Azure Lighthouse, Azure Managed Applications, Azure Policy, Azure Purview, Azure Resource Manager templates, Azure Resource Mover, Azure Media Services, Azure Database Migration Service, Azure Migrate, Azure Site Recovery, Azure Digital Twins, Azure Remote Rendering, Azure Spatial Anchors, Azure Application Gateway, Azure Bastion, Azure Communications Gateway, Azure Content Delivery Network, Azure DDoS Protection, Azure DNS, Azure Firewall, Azure Firewall Manager, Azure Front Door, Azure Load Balancer, Azure NAT Gateway, Azure Network Watcher, Azure Private Link, Azure Traffic Manager, Azure Virtual WAN, Azure VPN Gateway, Azure Web Application Firewall, Azure PostgreSQL Database, Azure Attestation, Azure Dedicated HSM, Azure Defender for Cloud, Azure Information Protection, Azure Key Vault Managed HSM, Azure Sentinel, Azure Backup, Azure Data Box, Azure Data Share, Azure HPC Cache, Azure Managed Lustre, Azure NetApp Files, Azure Communication Services, Azure SignalR Service, Azure Blob Storage, and Azure Data Lake Storage.
Databases
- Added content for InfluxDB, Neo4j, MariaDB, CockroachDB, Apache Cassandra, MarkLogic, and SQLite.
Network
- Added content for Directory Server, DNS Server, Firewall, FTP Server, IDS/IPS, Load Balancer, Message Broker, File Transfer Protocol (FTP), Virtual Private Network (VPN), Proxy Server, Router, Service Bus, Virtual Private Network (VPN) Server, 3G, 4G/LTE, 5G, LoRa, Modbus, Advanced Message Queuing Protocol (AMQP), Content Delivery Network (CDN)
Compliance Regulations and Mappings
- CIS GitHub Benchmark 1.0.0

Content additions and updates (as of June 19, 2024):

Compliance Regulations and Mappings
- Added ANSI/ISA 62443-4-1 (ISASecure SDLA 312)
- Added CIS GitHub Benchmark 1.0.0
- Added EU AI Act
Content Packs
- Added InfluxDB
- Added Neo4j
- Added MariaDB
- Added CockroachDB
- Added Apache Cassandra
- Added MarkLogic
- Added PostgreSQL
- Added GitHub
- Added EU AI Act
- Added Network
T38: Bind variables in SQL statements
- I1891: Use parameterized commands when an application interacts with the database (PostgreSQL) [Added]
- I1892: Prevent injection attacks by using parameterized commands (InfluxDB) [Added]
- I1893: Use parameterized commands when an application accesses the database (MariaDB) [Added]
- I1894: Use parameterized commands when an application interacts with the database (CockroachDB) [Added]
- I1895: Use parameterized commands when an application interacts with the database [Added]
T177: Allow users to review and update their personal information
- TA6554: OWASP best practices for changing user account details [Added]
T796: Configure DNS for Root Domain (AWS Route53) [Updated]
- INFO: Updated the title.
- P896: Misconfiguration of DNS for Root Domain (AWS Route53) [Updated]
  - INFO: Updated the title and cwe set.
T829: Test that DNS for Root Domain is configured correctly (AWS Route53) [Updated]
- INFO: Updated the title.
- P896: Misconfiguration of DNS for Root Domain (AWS Route53) [Updated]
  - INFO: Updated the title and cwe set.
T1366: Identify applicable compliance regulations
- TA6823: SDLA 312 Requirement (SM-3) [Added]
- TA6825: SDLA 312 Requirement (SM-5) [Added]
T1373: Maintain the integrity of all software code
- TA6826: SDLA 312 Requirement (SM-6) [Added]
T1374: Ensure the integrity of software release and update delivery
- TA6827: SDLA 312 Requirement (SM-7) [Added]
- TA6834: SDLA 312 Requirement (SUM-1) [Added]
- TA6837: SDLA 312 Requirement (SUM-4) [Added]
- TA6838: SDLA 312 Requirement (SUM-5) [Added]
T1376: Provide and maintain guidance on secure installation, maintenance, and configuration of all software components
- TA6808: SDLA 312 Requirement (SG-1) [Added]
- TA6809: SDLA 312 Requirement (SG-2) [Added]
- TA6810: SDLA 312 Requirement (SG-3) [Added]
- TA6811: SDLA 312 Requirement (SG-4) [Added]
- TA6812: SDLA 312 Requirement (SG-5) [Added]
- TA6813: SDLA 312 Requirement (SG-6) [Added]
- TA6814: SDLA 312 Requirement (SG-7) [Added]
T1377: Establish and maintain a bi-directional communication channel for receiving security reports and sending security notifications
- TA6798: SDLA 312 Requirement (DM-1) [Added]
- TA6802: SDLA 312 Requirement (DM-5) [Added]
T1378: Release a change summary for each software update
- TA6835: SDLA 312 Requirement (SUM-2) [Added]
- TA6836: SDLA 312 Requirement (SUM-3) [Added]
T1387: Ensure the security of products acquired through the supply chain and contractors
- TA6818: SDLA 312 Requirement (SM-10) [Added]
T1388: Triage and fix vulnerabilities discovered during automated and manual security tests
- TA6799: SDLA 312 Requirement (DM-2) [Added]
- TA6800: SDLA 312 Requirement (DM-3) [Added]
- TA6801: SDLA 312 Requirement (DM-4) [Added]
- TA6803: SDLA 312 Requirement (DM-6) [Added]
- TA6819: SDLA 312 Requirement (SM-11) [Added]
- TA6820: SDLA 312 Requirement (SM-12) [Added]
- TA6821: SDLA 312 Requirement (SM-13) [Added]
T1389: Perform penetration testing
- TA6841: SDLA 312 Requirement (SVV-3) [Added]
- TA6842: SDLA 312 Requirement (SVV-4) [Added]
- TA6843: SDLA 312 Requirement (SVV-5) [Added]
T1453: Validate user input before transmitting it to the SQL server (Microsoft SQL Server) [Updated]
- INFO: Updated the text.
T1892: Perform a Threat and Risk Assessment (TRA)
- TA6830: SDLA 312 Requirement (SR-2) [Added]
T1921: Track and manage usage of third-party and commercial off the shelf (COTS) hardware or software
- TA6828: SDLA 312 Requirement (SM-9) [Added]
T2343: Define security-related roles and provide role-base training
- TA6822: SDLA 312 Requirement (SM-2) [Added]
- TA6824: SDLA 312 Requirement (SM-4) [Added]
T2345: Define and implement criteria for software security checks
- TA6815: SDLA 312 Requirement (SI-1) [Added]
T2351: Verify that security-related roles and responsibilities are properly defined and assigned
- TA6867: SDLA 312 Test Requirement (SM-2) [Added]
- TA6869: SDLA 312 Test Requirement (SM-4) [Added]
T2353: Verify that proper criteria for software security checks are defined and implemented
- TA6860: SDLA 312 Test Requirement (SI-1) [Added]
T2498: Provide clear definitions for each component
- TA6829: SDLA 312 Requirement (SR-1) [Added]
T2499: Verify that clear definitions for each component exist
- TA6874: SDLA 312 Test Requirement (SR-1) [Added]
T2500: Verify that a Threat and Risk Assessment (TRA) is performed
- TA6875: SDLA 312 Test Requirement (SR-2) [Added]
T2510: Define cybersecurity goals and requirements for a component
- TA6804: SDLA 312 Requirement (SD-1) [Added]
- TA6805: SDLA 312 Requirement (SD-2) [Added]
- TA6806: SDLA 312 Requirement (SD-3) [Added]
- TA6807: SDLA 312 Requirement (SD-4) [Added]
- TA6817: SDLA 312 Requirement (SM-1) [Added]
- TA6831: SDLA 312 Requirement (SR-3) [Added]
- TA6832: SDLA 312 Requirement (SR-4) [Added]
- TA6833: SDLA 312 Requirement (SR-5) [Added]
T2513: Verify whether cybersecurity goals and requirements are clearly defined for a component
- TA6850: SDLA 312 Test Requirement (SD-1) [Added]
- TA6851: SDLA 312 Test Requirement (SD-2) [Added]
- TA6852: SDLA 312 Test Requirement (SD-3) [Added]
- TA6853: SDLA 312 Test Requirement (SD-4) [Added]
- TA6862: SDLA 312 Test Requirement (SM-1) [Added]
- TA6876: SDLA 312 Test Requirement (SR-3) [Added]
- TA6877: SDLA 312 Test Requirement (SR-4) [Added]
- TA6878: SDLA 312 Test Requirement (SR-5) [Added]
T2514: Establish coding and testing guidelines
- TA6816: SDLA 312 Requirement (SI-2) [Added]
- TA6839: SDLA 312 Requirement (SVV-1) [Added]
- TA6840: SDLA 312 Requirement (SVV-2) [Added]
T2515: Verify coding and testing guidelines
- TA6861: SDLA 312 Test Requirement (SI-2) [Added]
- TA6884: SDLA 312 Test Requirement (SVV-1) [Added]
- TA6885: SDLA 312 Test Requirement (SVV-2) [Added]
T2615: Limit network access by blocking connections from unknown IP addresses (PostgreSQL) [Added]
T2616: Use a secure authentication mechanism for database connections (PostgreSQL) [Added]
- P1771: Weak authentication for database users [Added]
T2617: Create dedicated database user accounts with minimum privileges (PostgreSQL) [Added]
T2618: Remove unecessary superuser accounts (PostgreSQL) [Added]
- P1773: Overuse of superuser accounts (PostgreSQL) [Added]
T2619: Ensure that row-level security is correctly configured (PostgreSQL) [Added]
- P1774: Incorrect configuration of row-level security (PostgreSQL) [Added]
T2620: Protect data in transit with TLS (PostgreSQL) [Added]
T2621: Use file volume encryption and consider in-database encryption with pgcrypto (PostgreSQL) [Added]
T2622: Monitor database activity and enable audit logging (PostgreSQL) [Added]
- P1772: Failure to monitor database activity [Added]
T2623: Schedule regular database backups to protect availability (PostgreSQL) [Added]
- P2006: Failure to safeguard against data loss [Added]
T2624: Change insecure configuration defaults and remove unnecessary features (InfluxDB) [Added]
T2625: Follow best practices for token management (InfluxDB) [Added]
T2626: Use volume encryption as a partial mitigation (InfluxDB) [Added]
T2627: Protect data in transit with TLS (InfluxDB) [Added]
T2628: Schedule regular database backups to protect availability (InfluxDB) [Added]
- P2006: Failure to safeguard against data loss [Added]
T2629: Monitor database activity and enable audit logging (InfluxDB) [Added]
- P1772: Failure to monitor database activity [Added]
T2630: Change insecure configuration defaults and remove unnecessary features (Neo4j) [Added]
T2631: Restrict unecessary plugins and functions that use Neo4j's internal APIs (Neo4j) [Added]
- P1776: Unrestricted plugins (Neo4j) [Added]
T2632: Use a secure authentication mechanism for database connections (Neo4j) [Added]
- P1771: Weak authentication for database users [Added]
T2633: Create dedicated database user accounts with minimum privileges (Neo4j) [Added]
T2634: Disable credential caching (Neo4j) [Added]
- P1777: Credentials stored in clear text in the browser (Neo4j) [Added]
T2635: Use volume encryption as a partial mitigation (Neo4j) [Added]
T2636: Use TLS for Bolt or HTTPS communication (Neo4j) [Added]
T2637: Schedule regular database backups to protect availability (Neo4j) [Added]
- P2006: Failure to safeguard against data loss [Added]
T2638: Monitor database activity and enable audit logging (Neo4j) [Added]
- P1772: Failure to monitor database activity [Added]
T2639: Enable authentication and create at least one database user (MongoDB) [Added]
- P1778: Lack of authentication for database users (MongoDB) [Added]
T2640: Implement RBAC with dedicated database user accounts (MongoDB) [Added]
T2641: Protect sensitive data at rest with encryption (MongoDB) [Added]
T2642: Protect data in transit with TLS (MongoDB) [Added]
T2643: Monitor database activity and enable audit logging (MongoDB) [Added]
- P1772: Failure to monitor database activity [Added]
T2644: Change insecure configuration defaults and remove unnecessary features (MongoDB) [Added]
T2645: Create dedicated database user accounts with minimum privileges (MariaDB) [Added]
T2646: Disable command history logging (MariaDB) [Added]
- P1779: Leaking sensitive information in the command history (MariaDB) [Added]
T2647: Protect sensitive data at rest with encryption (MariaDB) [Added]
T2648: Protect data in transit with TLS (MariaDB) [Added]
T2649: Schedule regular database backups to protect availability (MariaDB) [Added]
- P2006: Failure to safeguard against data loss [Added]
T2650: Monitor database activity and enable audit logging (MariaDB) [Added]
- P1772: Failure to monitor database activity [Added]
T2651: Change insecure configuration defaults and remove unnecessary features (MariaDB) [Added]
T2652: Consider adding plugins for stronger authentication protocols and stricter password complexity rules (MariaDB) [Added]
- P1771: Weak authentication for database users [Added]
T2653: Do not use insecure mode (CockroadDB) [Added]
T2654: Limit network access by blocking connections from unknown IP addresses (CockroachDB) [Added]
T2655: Use a secure authentication mechanism for database connections (CockroachDB) [Added]
- P1771: Weak authentication for database users [Added]
T2656: Create dedicated database user accounts with minimum privileges CockroachDB) [Added]
T2657: Protect data in transit with TLS (CockroachDB) [Added]
T2658: Protect sensitive data at rest with encryption (CockroachDB) [Added]
T2659: Monitor database security logs and consider audit logging (CockroachDB) [Added]
- P1772: Failure to monitor database activity [Added]
T2660: Schedule regular database backups to protect availability (CockroachDB) [Added]
- P2006: Failure to safeguard against data loss [Added]
T2661: Change insecure configuration defaults and remove unnecessary features [Added]
T2662: Restrict network access to the database server [Added]
T2663: Use a secure authentication mechanism for database connections [Added]
- P1771: Weak authentication for database users [Added]
T2664: Create dedicated database user accounts with minimum privileges [Added]
T2665: Protect sensitive data at rest with encryption [Added]
T2666: Protect data in transit with TLS [Added]
T2667: Schedule regular database backups to protect availability [Added]
- P2006: Failure to safeguard against data loss [Added]
T2668: Monitor database activity and enable audit logging [Added]
- P1772: Failure to monitor database activity [Added]
T2669: Schedule regular database backups to protect availability (MongoDB) [Added]
- P2006: Failure to safeguard against data loss [Added]
T2670: Verify that applicable compliance regulations are identified [Added]
- TA6868: SDLA 312 Test Requirement (SM-3) [Added]
- TA6870: SDLA 312 Test Requirement (SM-5) [Added]
T2671: Verify that the integrity of all software code is maintained [Added]
- TA6871: SDLA 312 Test Requirement (SM-6) [Added]
T2672: Verify that the integrity of software release and update delivery is protected [Added]
- TA6872: SDLA 312 Test Requirement (SM-7) [Added]
- TA6879: SDLA 312 Test Requirement (SUM-1) [Added]
- TA6882: SDLA 312 Test Requirement (SUM-4) [Added]
- TA6883: SDLA 312 Test Requirement (SUM-5) [Added]
T2673: Verify that usage third-party and commercial off the shelf (COTS) hardware or software is tracked and managed [Added]
- TA6873: SDLA 312 Test Requirement (SM-9) [Added]
T2674: Verify that products acquired through the supply chain and contractors are secure [Added]
- TA6863: SDLA 312 Test Requirement (SM-10) [Added]
T2675: Verify that vulnerabilities discovered during automated and manual security tests are triaged and fixed [Added]
- TA6845: SDLA 312 Test Requirement (DM-2) [Added]
- TA6846: SDLA 312 Test Requirement (DM-3) [Added]
- TA6847: SDLA 312 Test Requirement (DM-4) [Added]
- TA6849: SDLA 312 Test Requirement (DM-6) [Added]
- TA6864: SDLA 312 Test Requirement (SM-11) [Added]
- TA6865: SDLA 312 Test Requirement (SM-12) [Added]
- TA6866: SDLA 312 Test Requirement (SM-13) [Added]
T2676: Verify that a bi-directional communication channel is established and maintained for receiving security reports and sending notifications [Added]
- TA6844: SDLA 312 Test Requirement (DM-1) [Added]
- TA6848: SDLA 312 Test Requirement (DM-5) [Added]
T2677: Verify that a change summary is released for each software update [Added]
- TA6880: SDLA 312 Test Requirement (SUM-2) [Added]
- TA6881: SDLA 312 Test Requirement (SUM-3) [Added]
T2678: Verify that guidance is provided and maintained for secure installation, maintenance and configuration of all software components [Added]
- TA6854: SDLA 312 Test Requirement (SG-1) [Added]
- TA6855: SDLA 312 Test Requirement (SG-2) [Added]
- TA6856: SDLA 312 Test Requirement (SG-3) [Added]
- TA6857: SDLA 312 Test Requirement (SG-4) [Added]
- TA6858: SDLA 312 Test Requirement (SG-6) [Added]
- TA6859: SDLA 312 Test Requirement (SG-7) [Added]
T2679: Verify that penetration testing has been performed [Added]
- TA6886: SDLA 312 Test Requirement (SVV-3) [Added]
- TA6887: SDLA 312 Test Requirement (SVV-4) [Added]
- TA6888: SDLA 312 Test Requirement (SVV-5) [Added]
T2680: Establish network segmentation boundaries (Azure) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T2681: Secure cloud native services with network controls (Azure) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T2682: Deploy firewall at the edge of enterprise network (Azure) [Added]
- P1782: Uncontrolled network access (Cloud) [Added]
T2683: Deploy intrusion detection/intrusion prevention systems (IDS/IPS) (Azure) [Added]
- P1783: Unmonitored network traffic vulnerability (Cloud) [Added]
T2684: Deploy DDOS protection (Azure) [Added]
- P1784: Insufficient traffic filtering and rate limiting (Cloud) [Added]
T2685: Deploy web application firewall (Azure) [Added]
- P1785: Unprotected web applications (Cloud) [Added]
T2686: Simplify network security configuration (Azure) [Added]
- P1786: Overly complex network security configurations (Cloud) [Added]
T2687: Detect and disable insecure services and protocols (Azure) [Added]
- P1787: Outdated and vulnerable network services (Cloud) [Added]
T2688: Connect on-premises or cloud network privately (Azure) [Added]
- P1788: Unsecured public network connections (Cloud) [Added]
T2689: Ensure Domain Name System (DNS) security (Azure) [Added]
- P1789: Unsecured Domain Name System (DNS) (Cloud) [Added]
T2690: Use centralized identity and authentication system (Azure) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T2691: Protect identity and authentication systems (Azure) [Added]
- P1791: Unsecured identity and authentication systems (Cloud) [Added]
T2692: Manage application identities securely and automatically (Azure) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T2693: Authenticate server and services (Azure) [Added]
- P1793: Unverified server identity (Cloud) [Added]
T2694: Use single sign-on (SSO) for application access (Azure) [Added]
- P1794: Insufficient authentication protocols (Cloud) [Added]
T2695: Use strong authentication controls (Azure) [Added]
- P1795: Weak password-based authentication (Cloud) [Added]
T2696: Restrict resource access based on conditions (Azure) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T2697: Restrict the exposure of credentials and secrets (Azure) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T2698: Secure user access to existing applications (Azure) [Added]
- P1798: Unsecured access to legacy applications (Cloud) [Added]
T2699: Separate and limit highly privileged/administrative users (Azure) [Added]
- P1799: Excessive privileged access (Cloud) [Added]
T2700: Avoid standing access for user accounts and permissions (Azure) [Added]
- P1800: Overly broad access permissions (Cloud) [Added]
T2701: Manage lifecycle of identities and entitlements (Azure) [Added]
- P1801: Uncontrolled identity and access management (Cloud) [Added]
T2702: Review and reconcile user access regularly (Azure) [Added]
- P1802: Unmonitored privileged access (Cloud) [Added]
T2703: Set up emergency access (Azure) [Added]
- P1803: Insufficient emergency access management (Cloud) [Added]
T2704: Use privileged access workstations (Azure) [Added]
- P1804: Insufficiently secured administrative access (Cloud) [Added]
T2705: Follow just enough administration (least privilege) principle (Azure) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T2706: Determine access process for cloud provider support (Azure) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T2707: Discover, classify, and label sensitive data (Azure) [Added]
- P1807: Unidentified and unprotected sensitive data (Cloud) [Added]
T2708: Monitor anomalies and threats targeting sensitive data (Azure) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T2709: Encrypt sensitive data in transit (Azure) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T2710: Enable data at rest encryption by default (Azure) [Added]
- P1810: Unprotected data at rest (Cloud) [Added]
T2711: Use customer-managed key option in data at rest encryption when required (Azure) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T2712: Use a secure key management process (Azure) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T2713: Use a secure certificate management process (Azure) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T2714: Ensure security of key and certificate repository (Azure) [Added]
- P1814: Unsecured key and certificate repository (Cloud) [Added]
T2715: Track asset inventory and their risks (Azure) [Added]
- P1815: Untracked and unmonitored cloud assets (Cloud) [Added]
T2716: Use only approved services (Azure) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T2717: Ensure security of asset lifecycle management (Azure) [Added]
- P1817: Outdated security configurations (Cloud) [Added]
T2718: Limit access to asset management (Azure) [Added]
- P1818: Unauthorized access to asset management (Cloud) [Added]
T2719: Use only approved applications in virtual machine (Azure) [Added]
- P1819: Uncontrolled execution of unauthorized software (Cloud) [Added]
T2720: Enable threat detection capabilities (Azure) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T2721: Enable threat detection for identity and access management (Azure) [Added]
- P1821: Unmonitored identity and access management systems (Cloud) [Added]
T2722: Enable logging for security investigation (Azure) [Added]
- P1822: Insufficient logging and monitoring (Cloud) [Added]
T2723: Enable network logging for security investigation (Azure) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T2724: Centralize security log management and analysis (Azure) [Added]
- P1824: Decentralized security log management (Cloud) [Added]
T2725: Configure log storage retention (Azure) [Added]
- P1825: Insufficient log storage retention periods (Cloud) [Added]
T2726: Use approved time synchronization sources (Azure) [Added]
- P1826: Unreliable logging timestamps (Cloud) [Added]
T2727: Preparation - update incident response plan and handling process (Azure) [Added]
- P1827: Inadequate incident response planning (Cloud) [Added]
T2728: Preparation - setup incident notification (Azure) [Added]
- P1828: Inadequate incident notification setup (Cloud) [Added]
T2729: Detection and analysis - create incidents based on high-quality alerts (Azure) [Added]
- P1829: Insufficient alert quality management (Cloud) [Added]
T2730: Detection and analysis - investigate an incident (Azure) [Added]
- P1830: Inadequate data collection and analysis (Cloud) [Added]
T2731: Detection and analysis - prioritize incidents (Azure) [Added]
- P1831: Insufficient incident prioritization (Cloud) [Added]
T2732: Containment, eradication and recovery - automate the incident handling (Azure) [Added]
- P1832: Inefficient manual incident handling processes (Cloud) [Added]
T2733: Post-incident activity - conduct lessons learned and retain evidence (Azure) [Added]
- P1833: Failure to document incident response efforts (Cloud) [Added]
T2734: Define and establish secure configurations (Azure) [Added]
- P1834: Inconsistent cloud resource configurations (Cloud) [Added]
T2735: Audit and enforce secure configurations (Azure) [Added]
- P1835: Unsecured system configurations (Cloud) [Added]
T2736: Define and establish secure configurations for compute resources (Azure) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T2737: Audit and enforce secure configurations for compute resources (Azure) [Added]
- P1837: Unsecured compute resource configurations (Cloud) [Added]
T2738: Perform vulnerability assessments (Azure) [Added]
- P1838: Lack of vulnerability assessments (Cloud) [Added]
T2739: Rapidly and automatically remediate vulnerabilities (Azure) [Added]
- P1839: Unpatched vulnerabilities in cloud resources (Cloud) [Added]
T2740: Conduct regular red team operations (Azure) [Added]
- P1840: Overreliance on traditional vulnerability scanning (Cloud) [Added]
T2741: Use Endpoint Detection and Response (EDR) (Azure) [Added]
- P1841: Unmonitored endpoint activity (Cloud) [Added]
T2742: Use modern anti-malware software (Azure) [Added]
- P1842: Outdated malware protection mechanisms (Cloud) [Added]
T2743: Ensure anti-malware software and signatures are updated (Azure) [Added]
- P1843: Outdated anti-malware signatures (Cloud) [Added]
T2744: Ensure regular automated backups (Azure) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T2745: Protect backup and recovery data (Azure) [Added]
- P1845: Unsecured backup and recovery data (Cloud) [Added]
T2746: Monitor backups (Azure) [Added]
- P1846: Inadequate backup monitoring (Cloud) [Added]
T2747: Regularly test backup (Azure) [Added]
- P1847: Inadequate backup verification (Cloud) [Added]
T2748: Conduct threat modeling (Azure) [Added]
- P1848: Inadequate threat identification and mitigation (Cloud) [Added]
T2749: Ensure software supply chain security (Azure) [Added]
- P1849: Unsecured software supply chain (Cloud) [Added]
T2750: Secure DevOps infrastructure (Azure) [Added]
- P1850: Unsecured DevOps infrastructure (Cloud) [Added]
T2751: Integrate static application security testing into DevOps pipeline (Azure) [Added]
- P1851: Insufficient code review and testing (Cloud) [Added]
T2752: Integrate dynamic application security testing into DevOps pipeline (Azure) [Added]
- P1852: Insufficient security testing in CI/CD pipelines (Cloud) [Added]
T2753: Enforce security of workload throughout DevOps lifecycle (Azure) [Added]
- P1853: Inadequate DevOps security practices (Cloud) [Added]
T2754: Enable logging and monitoring in DevOps (Azure) [Added]
- P1854: Inadequate logging and monitoring in DevOps (Cloud) [Added]
T2755: Align organization roles, responsibilities and accountabilities (Azure) [Added]
- P1855: Lack of defined security roles and responsibilities (Cloud) [Added]
T2756: Define and implement enterprise segmentation/separation of duties strategy (Azure) [Added]
- P1856: Insufficient access control and segmentation (Cloud) [Added]
T2757: Define and implement data protection strategy (Azure) [Added]
- P1857: Inadequate data protection strategy (Cloud) [Added]
T2758: Define and implement network security strategy (Azure) [Added]
- P1858: Lack of unified network security strategy (Cloud) [Added]
T2759: Define and implement security posture management strategy (Azure) [Added]
- P1859: Inadequate cloud security configuration (Cloud) [Added]
T2760: Define and implement identity and privileged access strategy (Azure) [Added]
- P1860: Inadequate identity and access management (Cloud) [Added]
T2761: Define and implement logging, threat detection and incident response strategy (Azure) [Added]
- P1861: Inadequate logging and incident response (Cloud) [Added]
T2762: Define and implement backup and recovery strategy (Azure) [Added]
- P1862: Inadequate data backup and recovery processes (Cloud) [Added]
T2763: Define and implement endpoint security strategy (Azure) [Added]
- P1863: Unsecured endpoints (Cloud) [Added]
T2764: Define and implement DevOps security strategy (Azure) [Added]
- P1864: Inadequate DevOps security strategy (Cloud) [Added]
T2765: Define and implement multi-cloud security strategy (Azure) [Added]
- P1865: Lack of unified cloud security management (Cloud) [Added]
T2766: Establish network segmentation boundaries (AWS) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T2767: Secure cloud native services with network controls (AWS) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T2768: Deploy firewall at the edge of enterprise network (AWS) [Added]
- P1782: Uncontrolled network access (Cloud) [Added]
T2769: Deploy intrusion detection/intrusion prevention systems (IDS/IPS) (AWS) [Added]
- P1783: Unmonitored network traffic vulnerability (Cloud) [Added]
T2770: Deploy DDOS protection (AWS) [Added]
- P1784: Insufficient traffic filtering and rate limiting (Cloud) [Added]
T2771: Deploy web application firewall (AWS) [Added]
- P1785: Unprotected web applications (Cloud) [Added]
T2772: Simplify network security configuration (AWS) [Added]
- P1786: Overly complex network security configurations (Cloud) [Added]
T2773: Detect and disable insecure services and protocols (AWS) [Added]
- P1787: Outdated and vulnerable network services (Cloud) [Added]
T2774: Connect on-premises or cloud network privately (AWS) [Added]
- P1788: Unsecured public network connections (Cloud) [Added]
T2775: Ensure Domain Name System (DNS) security (AWS) [Added]
- P1789: Unsecured Domain Name System (DNS) (Cloud) [Added]
T2776: Use centralized identity and authentication system (AWS) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T2777: Protect identity and authentication systems (AWS) [Added]
- P1791: Unsecured identity and authentication systems (Cloud) [Added]
T2778: Manage application identities securely and automatically (AWS) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T2779: Authenticate server and services (AWS) [Added]
- P1793: Unverified server identity (Cloud) [Added]
T2780: Use single sign-on (SSO) for application access (AWS) [Added]
- P1794: Insufficient authentication protocols (Cloud) [Added]
T2781: Use strong authentication controls (AWS) [Added]
- P1795: Weak password-based authentication (Cloud) [Added]
T2782: Restrict resource access based on conditions (AWS) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T2783: Restrict the exposure of credentials and secrets (AWS) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T2784: Secure user access to existing applications (AWS) [Added]
- P1798: Unsecured access to legacy applications (Cloud) [Added]
T2785: Separate and limit highly privileged/administrative users (AWS) [Added]
- P1799: Excessive privileged access (Cloud) [Added]
T2786: Avoid standing access for user accounts and permissions (AWS) [Added]
- P1800: Overly broad access permissions (Cloud) [Added]
T2787: Manage lifecycle of identities and entitlements (AWS) [Added]
- P1801: Uncontrolled identity and access management (Cloud) [Added]
T2788: Review and reconcile user access regularly (AWS) [Added]
- P1802: Unmonitored privileged access (Cloud) [Added]
T2789: Set up emergency access (AWS) [Added]
- P1803: Insufficient emergency access management (Cloud) [Added]
T2790: Use privileged access workstations (AWS) [Added]
- P1804: Insufficiently secured administrative access (Cloud) [Added]
T2791: Follow just enough administration (least privilege) principle (AWS) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T2792: Determine access process for cloud provider support (AWS) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T2793: Discover, classify, and label sensitive data (AWS) [Added]
- P1807: Unidentified and unprotected sensitive data (Cloud) [Added]
T2794: Monitor anomalies and threats targeting sensitive data (AWS) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T2795: Encrypt sensitive data in transit (AWS) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T2796: Enable data at rest encryption by default (AWS) [Added]
- P1810: Unprotected data at rest (Cloud) [Added]
T2797: Use customer-managed key option in data at rest encryption when required (AWS) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T2798: Use a secure key management process (AWS) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T2799: Use a secure certificate management process (AWS) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T2800: Ensure security of key and certificate repository (AWS) [Added]
- P1814: Unsecured key and certificate repository (Cloud) [Added]
T2801: Track asset inventory and their risks (AWS) [Added]
- P1815: Untracked and unmonitored cloud assets (Cloud) [Added]
T2802: Use only approved services (AWS) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T2803: Ensure security of asset lifecycle management (AWS) [Added]
- P1817: Outdated security configurations (Cloud) [Added]
T2804: Limit access to asset management (AWS) [Added]
- P1818: Unauthorized access to asset management (Cloud) [Added]
T2805: Use only approved applications in virtual machine (AWS) [Added]
- P1819: Uncontrolled execution of unauthorized software (Cloud) [Added]
T2806: Enable threat detection capabilities (AWS) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T2807: Enable threat detection for identity and access management (AWS) [Added]
- P1821: Unmonitored identity and access management systems (Cloud) [Added]
T2808: Enable logging for security investigation (AWS) [Added]
- P1822: Insufficient logging and monitoring (Cloud) [Added]
T2809: Enable network logging for security investigation (AWS) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T2810: Centralize security log management and analysis (AWS) [Added]
- P1824: Decentralized security log management (Cloud) [Added]
T2811: Configure log storage retention (AWS) [Added]
- P1825: Insufficient log storage retention periods (Cloud) [Added]
T2812: Use approved time synchronization sources (AWS) [Added]
- P1826: Unreliable logging timestamps (Cloud) [Added]
T2813: Preparation - update incident response plan and handling process (AWS) [Added]
- P1827: Inadequate incident response planning (Cloud) [Added]
T2814: Preparation - setup incident notification (AWS) [Added]
- P1828: Inadequate incident notification setup (Cloud) [Added]
T2815: Detection and analysis - create incidents based on high-quality alerts (AWS) [Added]
- P1829: Insufficient alert quality management (Cloud) [Added]
T2816: Detection and analysis - investigate an incident (AWS) [Added]
- P1830: Inadequate data collection and analysis (Cloud) [Added]
T2817: Detection and analysis - prioritize incidents (AWS) [Added]
- P1831: Insufficient incident prioritization (Cloud) [Added]
T2818: Containment, eradication and recovery - automate the incident handling (AWS) [Added]
- P1832: Inefficient manual incident handling processes (Cloud) [Added]
T2819: Post-incident activity - conduct lessons learned and retain evidence (AWS) [Added]
- P1833: Failure to document incident response efforts (Cloud) [Added]
T2820: Define and establish secure configurations (AWS) [Added]
- P1834: Inconsistent cloud resource configurations (Cloud) [Added]
T2821: Audit and enforce secure configurations (AWS) [Added]
- P1835: Unsecured system configurations (Cloud) [Added]
T2822: Define and establish secure configurations for compute resources (AWS) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T2823: Audit and enforce secure configurations for compute resources (AWS) [Added]
- P1837: Unsecured compute resource configurations (Cloud) [Added]
T2824: Perform vulnerability assessments (AWS) [Added]
- P1838: Lack of vulnerability assessments (Cloud) [Added]
T2825: Rapidly and automatically remediate vulnerabilities (AWS) [Added]
- P1839: Unpatched vulnerabilities in cloud resources (Cloud) [Added]
T2826: Conduct regular red team operations (AWS) [Added]
- P1840: Overreliance on traditional vulnerability scanning (Cloud) [Added]
T2827: Use Endpoint Detection and Response (EDR) (AWS) [Added]
- P1841: Unmonitored endpoint activity (Cloud) [Added]
T2828: Use modern anti-malware software (AWS) [Added]
- P1842: Outdated malware protection mechanisms (Cloud) [Added]
T2829: Ensure anti-malware software and signatures are updated (AWS) [Added]
- P1843: Outdated anti-malware signatures (Cloud) [Added]
T2830: Ensure regular automated backups (AWS) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T2831: Protect backup and recovery data (AWS) [Added]
- P1845: Unsecured backup and recovery data (Cloud) [Added]
T2832: Monitor backups (AWS) [Added]
- P1846: Inadequate backup monitoring (Cloud) [Added]
T2833: Regularly test backup (AWS) [Added]
- P1847: Inadequate backup verification (Cloud) [Added]
T2834: Conduct threat modeling (AWS) [Added]
- P1848: Inadequate threat identification and mitigation (Cloud) [Added]
T2835: Ensure software supply chain security (AWS) [Added]
- P1849: Unsecured software supply chain (Cloud) [Added]
T2836: Secure DevOps infrastructure (AWS) [Added]
- P1850: Unsecured DevOps infrastructure (Cloud) [Added]
T2837: Integrate static application security testing into DevOps pipeline (AWS) [Added]
- P1851: Insufficient code review and testing (Cloud) [Added]
T2838: Integrate dynamic application security testing into DevOps pipeline (AWS) [Added]
- P1852: Insufficient security testing in CI/CD pipelines (Cloud) [Added]
T2839: Enforce security of workload throughout DevOps lifecycle (AWS) [Added]
- P1853: Inadequate DevOps security practices (Cloud) [Added]
T2840: Enable logging and monitoring in DevOps (AWS) [Added]
- P1854: Inadequate logging and monitoring in DevOps (Cloud) [Added]
T2841: Align organization roles, responsibilities and accountabilities (AWS) [Added]
- P1855: Lack of defined security roles and responsibilities (Cloud) [Added]
T2842: Define and implement enterprise segmentation/separation of duties strategy (AWS) [Added]
- P1856: Insufficient access control and segmentation (Cloud) [Added]
T2843: Define and implement data protection strategy (AWS) [Added]
- P1857: Inadequate data protection strategy (Cloud) [Added]
T2844: Define and implement network security strategy (AWS) [Added]
- P1858: Lack of unified network security strategy (Cloud) [Added]
T2845: Define and implement security posture management strategy (AWS) [Added]
- P1859: Inadequate cloud security configuration (Cloud) [Added]
T2846: Define and implement identity and privileged access strategy (AWS) [Added]
- P1860: Inadequate identity and access management (Cloud) [Added]
T2847: Define and implement logging, threat detection and incident response strategy (AWS) [Added]
- P1861: Inadequate logging and incident response (Cloud) [Added]
T2848: Define and implement backup and recovery strategy (AWS) [Added]
- P1862: Inadequate data backup and recovery processes (Cloud) [Added]
T2849: Define and implement endpoint security strategy (AWS) [Added]
- P1863: Unsecured endpoints (Cloud) [Added]
T2850: Define and implement DevOps security strategy (AWS) [Added]
- P1864: Inadequate DevOps security strategy (Cloud) [Added]
T2851: Define and implement multi-cloud security strategy (AWS) [Added]
- P1865: Lack of unified cloud security management (Cloud) [Added]
T2852: Establish network segmentation boundaries (GCP) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T2853: Secure cloud native services with network controls (GCP) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T2854: Deploy firewall at the edge of enterprise network (GCP) [Added]
- P1782: Uncontrolled network access (Cloud) [Added]
T2855: Deploy intrusion detection/intrusion prevention systems (IDS/IPS) (GCP) [Added]
- P1783: Unmonitored network traffic vulnerability (Cloud) [Added]
T2856: Deploy DDOS protection (GCP) [Added]
- P1784: Insufficient traffic filtering and rate limiting (Cloud) [Added]
T2857: Deploy web application firewall (GCP) [Added]
- P1785: Unprotected web applications (Cloud) [Added]
T2858: Simplify network security configuration (GCP) [Added]
- P1786: Overly complex network security configurations (Cloud) [Added]
T2859: Detect and disable insecure services and protocols (GCP) [Added]
- P1787: Outdated and vulnerable network services (Cloud) [Added]
T2860: Connect on-premises or cloud network privately (GCP) [Added]
- P1788: Unsecured public network connections (Cloud) [Added]
T2861: Ensure Domain Name System (DNS) security (GCP) [Added]
- P1789: Unsecured Domain Name System (DNS) (Cloud) [Added]
T2862: Use centralized identity and authentication system (GCP) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T2863: Protect identity and authentication systems (GCP) [Added]
- P1791: Unsecured identity and authentication systems (Cloud) [Added]
T2864: Manage application identities securely and automatically (GCP) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T2865: Authenticate server and services (GCP) [Added]
- P1793: Unverified server identity (Cloud) [Added]
T2866: Use single sign-on (SSO) for application access (GCP) [Added]
- P1794: Insufficient authentication protocols (Cloud) [Added]
T2867: Use strong authentication controls (GCP) [Added]
- P1795: Weak password-based authentication (Cloud) [Added]
T2868: Restrict resource access based on conditions (GCP) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T2869: Restrict the exposure of credentials and secrets (GCP) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T2870: Secure user access to existing applications (GCP) [Added]
- P1798: Unsecured access to legacy applications (Cloud) [Added]
T2871: Separate and limit highly privileged/administrative users (GCP) [Added]
- P1799: Excessive privileged access (Cloud) [Added]
T2872: Avoid standing access for user accounts and permissions (GCP) [Added]
- P1800: Overly broad access permissions (Cloud) [Added]
T2873: Manage lifecycle of identities and entitlements (GCP) [Added]
- P1801: Uncontrolled identity and access management (Cloud) [Added]
T2874: Review and reconcile user access regularly (GCP) [Added]
- P1802: Unmonitored privileged access (Cloud) [Added]
T2875: Set up emergency access (GCP) [Added]
- P1803: Insufficient emergency access management (Cloud) [Added]
T2876: Use privileged access workstations (GCP) [Added]
- P1804: Insufficiently secured administrative access (Cloud) [Added]
T2877: Follow just enough administration (least privilege) principle (GCP) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T2878: Determine access process for cloud provider support (GCP) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T2879: Discover, classify, and label sensitive data (GCP) [Added]
- P1807: Unidentified and unprotected sensitive data (Cloud) [Added]
T2880: Monitor anomalies and threats targeting sensitive data (GCP) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T2881: Encrypt sensitive data in transit (GCP) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T2882: Enable data at rest encryption by default (GCP) [Added]
- P1810: Unprotected data at rest (Cloud) [Added]
T2883: Use customer-managed key option in data at rest encryption when required (GCP) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T2884: Use a secure key management process (GCP) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T2885: Use a secure certificate management process (GCP) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T2886: Ensure security of key and certificate repository (GCP) [Added]
- P1814: Unsecured key and certificate repository (Cloud) [Added]
T2887: Track asset inventory and their risks (GCP) [Added]
- P1815: Untracked and unmonitored cloud assets (Cloud) [Added]
T2888: Use only approved services (GCP) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T2889: Ensure security of asset lifecycle management (GCP) [Added]
- P1817: Outdated security configurations (Cloud) [Added]
T2890: Limit access to asset management (GCP) [Added]
- P1818: Unauthorized access to asset management (Cloud) [Added]
T2891: Use only approved applications in virtual machine (GCP) [Added]
- P1819: Uncontrolled execution of unauthorized software (Cloud) [Added]
T2892: Enable threat detection capabilities (GCP) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T2893: Enable threat detection for identity and access management (GCP) [Added]
- P1821: Unmonitored identity and access management systems (Cloud) [Added]
T2894: Enable logging for security investigation (GCP) [Added]
- P1822: Insufficient logging and monitoring (Cloud) [Added]
T2895: Enable network logging for security investigation (GCP) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T2896: Centralize security log management and analysis (GCP) [Added]
- P1824: Decentralized security log management (Cloud) [Added]
T2897: Configure log storage retention (GCP) [Added]
- P1825: Insufficient log storage retention periods (Cloud) [Added]
T2898: Use approved time synchronization sources (GCP) [Added]
- P1826: Unreliable logging timestamps (Cloud) [Added]
T2899: Preparation - update incident response plan and handling process (GCP) [Added]
- P1827: Inadequate incident response planning (Cloud) [Added]
T2900: Preparation - setup incident notification (GCP) [Added]
- P1828: Inadequate incident notification setup (Cloud) [Added]
T2901: Detection and analysis - create incidents based on high-quality alerts (GCP) [Added]
- P1829: Insufficient alert quality management (Cloud) [Added]
T2902: Detection and analysis - investigate an incident (GCP) [Added]
- P1830: Inadequate data collection and analysis (Cloud) [Added]
T2903: Detection and analysis - prioritize incidents (GCP) [Added]
- P1831: Insufficient incident prioritization (Cloud) [Added]
T2904: Containment, eradication and recovery - automate the incident handling (GCP) [Added]
- P1832: Inefficient manual incident handling processes (Cloud) [Added]
T2905: Post-incident activity - conduct lessons learned and retain evidence (GCP) [Added]
- P1833: Failure to document incident response efforts (Cloud) [Added]
T2906: Define and establish secure configurations (GCP) [Added]
- P1834: Inconsistent cloud resource configurations (Cloud) [Added]
T2907: Audit and enforce secure configurations (GCP) [Added]
- P1835: Unsecured system configurations (Cloud) [Added]
T2908: Define and establish secure configurations for compute resources (GCP) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T2909: Audit and enforce secure configurations for compute resources (GCP) [Added]
- P1837: Unsecured compute resource configurations (Cloud) [Added]
T2910: Perform vulnerability assessments (GCP) [Added]
- P1838: Lack of vulnerability assessments (Cloud) [Added]
T2911: Rapidly and automatically remediate vulnerabilities (GCP) [Added]
- P1839: Unpatched vulnerabilities in cloud resources (Cloud) [Added]
T2912: Conduct regular red team operations (GCP) [Added]
- P1840: Overreliance on traditional vulnerability scanning (Cloud) [Added]
T2913: Use Endpoint Detection and Response (EDR) (GCP) [Added]
- P1841: Unmonitored endpoint activity (Cloud) [Added]
T2914: Use modern anti-malware software (GCP) [Added]
- P1842: Outdated malware protection mechanisms (Cloud) [Added]
T2915: Ensure anti-malware software and signatures are updated (GCP) [Added]
- P1843: Outdated anti-malware signatures (Cloud) [Added]
T2916: Ensure regular automated backups (GCP) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T2917: Protect backup and recovery data (GCP) [Added]
- P1845: Unsecured backup and recovery data (Cloud) [Added]
T2918: Monitor backups (GCP) [Added]
- P1846: Inadequate backup monitoring (Cloud) [Added]
T2919: Regularly test backup (GCP) [Added]
- P1847: Inadequate backup verification (Cloud) [Added]
T2920: Conduct threat modeling (GCP) [Added]
- P1848: Inadequate threat identification and mitigation (Cloud) [Added]
T2921: Ensure software supply chain security (GCP) [Added]
- P1849: Unsecured software supply chain (Cloud) [Added]
T2922: Secure DevOps infrastructure (GCP) [Added]
- P1850: Unsecured DevOps infrastructure (Cloud) [Added]
T2923: Integrate static application security testing into DevOps pipeline (GCP) [Added]
- P1851: Insufficient code review and testing (Cloud) [Added]
T2924: Integrate dynamic application security testing into DevOps pipeline (GCP) [Added]
- P1852: Insufficient security testing in CI/CD pipelines (Cloud) [Added]
T2925: Enforce security of workload throughout DevOps lifecycle (GCP) [Added]
- P1853: Inadequate DevOps security practices (Cloud) [Added]
T2926: Enable logging and monitoring in DevOps (GCP) [Added]
- P1854: Inadequate logging and monitoring in DevOps (Cloud) [Added]
T2927: Align organization roles, responsibilities and accountabilities (GCP) [Added]
- P1855: Lack of defined security roles and responsibilities (Cloud) [Added]
T2928: Define and implement enterprise segmentation/separation of duties strategy (GCP) [Added]
- P1856: Insufficient access control and segmentation (Cloud) [Added]
T2929: Define and implement data protection strategy (GCP) [Added]
- P1857: Inadequate data protection strategy (Cloud) [Added]
T2930: Define and implement network security strategy (GCP) [Added]
- P1858: Lack of unified network security strategy (Cloud) [Added]
T2931: Define and implement security posture management strategy (GCP) [Added]
- P1859: Inadequate cloud security configuration (Cloud) [Added]
T2932: Define and implement identity and privileged access strategy (GCP) [Added]
- P1860: Inadequate identity and access management (Cloud) [Added]
T2933: Define and implement logging, threat detection and incident response strategy (GCP) [Added]
- P1861: Inadequate logging and incident response (Cloud) [Added]
T2934: Define and implement backup and recovery strategy (GCP) [Added]
- P1862: Inadequate data backup and recovery processes (Cloud) [Added]
T2935: Define and implement endpoint security strategy (GCP) [Added]
- P1863: Unsecured endpoints (Cloud) [Added]
T2936: Define and implement DevOps security strategy (GCP) [Added]
- P1864: Inadequate DevOps security strategy (Cloud) [Added]
T2937: Define and implement multi-cloud security strategy (GCP) [Added]
- P1865: Lack of unified cloud security management (Cloud) [Added]
T2938: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Bastion) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T2939: Configure Azure Policy Support (Azure Bastion) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T2940: Configure Key Management in Azure Key Vault (Azure Bastion) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T2941: Configure Network Security Group Support (Azure Bastion) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T2942: Configure Azure Resource Logs (Azure Bastion) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T2943: Configure Virtual Network Integration (Azure Bastion) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T2944: Configure Azure Policy Support (Azure Key Vault Managed HSM) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T2945: Configure Conditional Access for Data Plane (Azure Key Vault Managed HSM) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T2946: Configure Data at Rest Encryption Using CMK (Azure Key Vault Managed HSM) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T2947: Configure Disable Public Network Access (Azure Key Vault Managed HSM) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T2948: Configure Key Management in Azure Key Vault (Azure Key Vault Managed HSM) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T2949: Configure Service Native Backup Capability (Azure Key Vault Managed HSM) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T2950: Configure Azure Private Link (Azure Key Vault Managed HSM) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T2951: Configure Azure Resource Logs (Azure Key Vault Managed HSM) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T2952: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Databricks) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T2953: Configure Azure Policy Support (Azure Databricks) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T2954: Configure Customer Lockbox (Azure Databricks) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T2955: Configure Data at Rest Encryption Using CMK (Azure Databricks) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T2956: Configure Data in Transit Encryption (Azure Databricks) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T2957: Configure Disable Public Network Access (Azure Databricks) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T2958: Configure Key Management in Azure Key Vault (Azure Databricks) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T2959: Configure Service Native Backup Capability (Azure Databricks) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T2960: Configure Network Security Group Support (Azure Databricks) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T2961: Configure Azure Resource Logs (Azure Databricks) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T2962: Configure Service Principals (Azure Databricks) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T2963: Configure Virtual Network Integration (Azure Databricks) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T2964: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Key Vault) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T2965: Configure Azure Policy Support (Azure Key Vault) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T2966: Configure Azure RBAC for Data Plane (Azure Key Vault) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T2967: Configure Certificate Management in Azure Key Vault (Azure Key Vault) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T2968: Configure Conditional Access for Data Plane (Azure Key Vault) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T2969: Configure Data at Rest Encryption Using CMK (Azure Key Vault) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T2970: Configure Microsoft Defender for Service / Product Offering (Azure Key Vault) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T2971: Configure Disable Public Network Access (Azure Key Vault) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T2972: Configure Key Management in Azure Key Vault (Azure Key Vault) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T2973: Configure Managed Identities (Azure Key Vault) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T2974: Configure Service Native Backup Capability (Azure Key Vault) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T2975: Configure Network Security Group Support (Azure Key Vault) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T2976: Configure Azure Private Link (Azure Key Vault) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T2977: Configure Azure Resource Logs (Azure Key Vault) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T2978: Configure Service Principals (Azure Key Vault) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T2979: Configure Virtual Network Integration (Azure Key Vault) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T2980: Configure Azure RBAC for Data Plane (Azure Resource Mover) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T2981: Configure Managed Identities (Azure Resource Mover) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T2982: Configure Service Principals (Azure Resource Mover) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T2983: Configure Azure AD Authentication Required for Data Plane Access (Azure Database for MySQL) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T2984: Configure Conditional Access for Data Plane (Azure Database for MySQL) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T2985: Configure Customer Lockbox (Azure Database for MySQL) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T2986: Configure Data at Rest Encryption Using CMK (Azure Database for MySQL) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T2987: Configure Disable Public Network Access (Azure Database for MySQL) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T2988: Configure Key Management in Azure Key Vault (Azure Database for MySQL) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T2989: Configure Network Security Group Support (Azure Database for MySQL) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T2990: Configure Azure Resource Logs (Azure Database for MySQL) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T2991: Configure Virtual Network Integration (Azure Database for MySQL) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T2992: Configure Azure AD Authentication Required for Data Plane Access (Azure Spring Apps) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T2993: Configure Azure RBAC for Data Plane (Azure Spring Apps) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T2994: Configure Certificate Management in Azure Key Vault (Azure Spring Apps) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T2995: Configure Customer Lockbox (Azure Spring Apps) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T2996: Configure Managed Identities (Azure Spring Apps) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T2997: Configure Network Security Group Support (Azure Spring Apps) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T2998: Configure Azure Resource Logs (Azure Spring Apps) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T2999: Configure Service Principals (Azure Spring Apps) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3000: Configure Virtual Network Integration (Azure Spring Apps) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3001: Configure Azure Policy Support (Azure Virtual Network) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3002: Configure Azure Resource Logs (Azure Virtual Network) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3003: Configure Azure AD Authentication Required for Data Plane Access (Azure Functions) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3004: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Functions) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3005: Configure Azure Policy Support (Azure Functions) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3006: Configure Azure RBAC for Data Plane (Azure Functions) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3007: Configure Certificate Management in Azure Key Vault (Azure Functions) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3008: Configure Conditional Access for Data Plane (Azure Functions) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3009: Configure Customer Lockbox (Azure Functions) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3010: Configure Data at Rest Encryption Using CMK (Azure Functions) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3011: Configure Data in Transit Encryption (Azure Functions) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3012: Configure Microsoft Defender for Service / Product Offering (Azure Functions) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3013: Configure Disable Public Network Access (Azure Functions) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3014: Configure Key Management in Azure Key Vault (Azure Functions) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3015: Configure Managed Identities (Azure Functions) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3016: Configure Service Native Backup Capability (Azure Functions) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3017: Configure Network Security Group Support (Azure Functions) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3018: Configure Azure Private Link (Azure Functions) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3019: Configure Azure Resource Logs (Azure Functions) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3020: Configure Service Principals (Azure Functions) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3021: Configure Virtual Network Integration (Azure Functions) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3022: Configure Azure AD Authentication Required for Data Plane Access (Azure DevTest Labs) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3023: Configure Microsoft Defender for Cloud - Adaptive Application Controls (Azure DevTest Labs) [Added]
- P1819: Uncontrolled execution of unauthorized software (Cloud) [Added]
T3024: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure DevTest Labs) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3025: Configure Anti-Malware Solution (Azure DevTest Labs) [Added]
- P1842: Outdated malware protection mechanisms (Cloud) [Added]
T3026: Configure Anti-Malware Solution Health Monitoring (Azure DevTest Labs) [Added]
- P1843: Outdated anti-malware signatures (Cloud) [Added]
T3027: Configure Azure Automation State Configuration (Azure DevTest Labs) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3028: Configure Azure Automation Update Management (Azure DevTest Labs) [Added]
- P1839: Unpatched vulnerabilities in cloud resources (Cloud) [Added]
T3029: Configure Azure Backup (Azure DevTest Labs) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3030: Configure Azure Policy Guest Configuration Agent (Azure DevTest Labs) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3031: Configure Azure Policy Support (Azure DevTest Labs) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3032: Configure Azure RBAC for Data Plane (Azure DevTest Labs) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3033: Configure Certificate Management in Azure Key Vault (Azure DevTest Labs) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3034: Configure Conditional Access for Data Plane (Azure DevTest Labs) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3035: Configure Disable Public Network Access (Azure DevTest Labs) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3036: Configure Key Management in Azure Key Vault (Azure DevTest Labs) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3037: Configure Managed Identities (Azure DevTest Labs) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3038: Configure Network Security Group Support (Azure DevTest Labs) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3039: Configure Service Principals (Azure DevTest Labs) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3040: Configure Vulnerability Assessment using Microsoft Defender (Azure DevTest Labs) [Added]
- P1838: Lack of vulnerability assessments (Cloud) [Added]
T3041: Configure Azure Policy Support (Azure Load Balancer) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3042: Configure Network Security Group Support (Azure Load Balancer) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3043: Configure Virtual Network Integration (Azure Load Balancer) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3044: Configure Azure Policy Support (Azure Content Delivery Network) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3045: Configure Azure RBAC for Data Plane (Azure Content Delivery Network) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3046: Configure Certificate Management in Azure Key Vault (Azure Content Delivery Network) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3047: Configure Data in Transit Encryption (Azure Content Delivery Network) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3048: Configure Azure Resource Logs (Azure Content Delivery Network) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3049: Configure Azure Policy Support (Azure Private Link) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3050: Configure Network Security Group Support (Azure Private Link) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3051: Configure Azure Policy Support (Azure Digital Twins) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3052: Configure Azure RBAC for Data Plane (Azure Digital Twins) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3053: Configure Conditional Access for Data Plane (Azure Digital Twins) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3054: Configure Disable Public Network Access (Azure Digital Twins) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3055: Configure Managed Identities (Azure Digital Twins) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3056: Configure Azure Private Link (Azure Digital Twins) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3057: Configure Azure Resource Logs (Azure Digital Twins) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3058: Configure Service Principals (Azure Digital Twins) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3059: Configure Azure AD Authentication Required for Data Plane Access (Azure Kubernetes Service (AKS)) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3060: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Kubernetes Service (AKS)) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3061: Configure Azure Backup (Azure Kubernetes Service (AKS)) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3062: Configure Azure Policy Support (Azure Kubernetes Service (AKS)) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3063: Configure Azure RBAC for Data Plane (Azure Kubernetes Service (AKS)) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3064: Configure Certificate Management in Azure Key Vault (Azure Kubernetes Service (AKS)) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3065: Configure Conditional Access for Data Plane (Azure Kubernetes Service (AKS)) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3066: Configure Customer Lockbox (Azure Kubernetes Service (AKS)) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3067: Configure Data at Rest Encryption Using CMK (Azure Kubernetes Service (AKS)) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3068: Configure Data at Rest Encryption Using Platform Keys (Azure Kubernetes Service (AKS)) [Added]
- P1810: Unprotected data at rest (Cloud) [Added]
T3069: Configure Data in Transit Encryption (Azure Kubernetes Service (AKS)) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3070: Configure Data Leakage/Loss Prevention (Azure Kubernetes Service (AKS)) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T3071: Configure Microsoft Defender for Service / Product Offering (Azure Kubernetes Service (AKS)) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3072: Configure Disable Public Network Access (Azure Kubernetes Service (AKS)) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3073: Configure Key Management in Azure Key Vault (Azure Kubernetes Service (AKS)) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3074: Configure Local Admin Accounts (Azure Kubernetes Service (AKS)) [Added]
- P1799: Excessive privileged access (Cloud) [Added]
T3075: Configure Local Authentication Methods for Data Plane Access (Azure Kubernetes Service (AKS)) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3076: Configure Azure Private Link (Azure Kubernetes Service (AKS)) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3077: Configure Azure Resource Logs (Azure Kubernetes Service (AKS)) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3078: Configure Service Principals (Azure Kubernetes Service (AKS)) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3079: Configure Azure AD Authentication Required for Data Plane Access (Azure Media Services) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3080: Configure Azure Policy Support (Azure Media Services) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3081: Configure Azure RBAC for Data Plane (Azure Media Services) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3082: Configure Data at Rest Encryption Using CMK (Azure Media Services) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3083: Configure Disable Public Network Access (Azure Media Services) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3084: Configure Azure Private Link (Azure Media Services) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3085: Configure Azure Resource Logs (Azure Media Services) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3086: Configure Service Principals (Azure Media Services) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3087: Configure Azure Policy Support (Azure Data Lake Analytics) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3088: Configure Disable Public Network Access (Azure Data Lake Analytics) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3089: Configure Azure Policy Support (Azure Firewall Manager) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3090: Configure Certificate Management in Azure Key Vault (Azure Firewall Manager) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3091: Configure Azure AD Authentication Required for Data Plane Access (Azure IoT Central) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3092: Configure Azure Policy Support (Azure IoT Central) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3093: Configure Disable Public Network Access (Azure IoT Central) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3094: Configure Local Authentication Methods for Data Plane Access (Azure IoT Central) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3095: Configure Managed Identities (Azure IoT Central) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3096: Configure Azure Private Link (Azure IoT Central) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3097: Configure Service Principals (Azure IoT Central) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3098: Configure Azure AD Authentication Required for Data Plane Access (Azure Virtual Desktop) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3099: Configure Anti-Malware Solution (Azure Virtual Desktop) [Added]
- P1842: Outdated malware protection mechanisms (Cloud) [Added]
T3100: Configure Anti-Malware Solution Health Monitoring (Azure Virtual Desktop) [Added]
- P1843: Outdated anti-malware signatures (Cloud) [Added]
T3101: Configure Azure Backup (Azure Virtual Desktop) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3102: Configure Azure Policy Support (Azure Virtual Desktop) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3103: Configure Azure RBAC for Data Plane (Azure Virtual Desktop) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3104: Configure Conditional Access for Data Plane (Azure Virtual Desktop) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3105: Configure Custom VM Images (Azure Virtual Desktop) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3106: Configure Data Leakage/Loss Prevention (Azure Virtual Desktop) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T3107: Configure Microsoft Defender for Service / Product Offering (Azure Virtual Desktop) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3108: Configure EDR Solution (Azure Virtual Desktop) [Added]
- P1841: Unmonitored endpoint activity (Cloud) [Added]
T3109: Configure Local Admin Accounts (Azure Virtual Desktop) [Added]
- P1799: Excessive privileged access (Cloud) [Added]
T3110: Configure Managed Identities (Azure Virtual Desktop) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3111: Configure Network Security Group Support (Azure Virtual Desktop) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3112: Configure Azure Private Link (Azure Virtual Desktop) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3113: Configure Azure Resource Logs (Azure Virtual Desktop) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3114: Configure Sensitive Data Discovery and Classification (Azure Virtual Desktop) [Added]
- P1807: Unidentified and unprotected sensitive data (Cloud) [Added]
T3115: Configure Service Principals (Azure Virtual Desktop) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3116: Configure Virtual Network Integration (Azure Virtual Desktop) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3117: Configure Vulnerability Assessment using Microsoft Defender (Azure Virtual Desktop) [Added]
- P1838: Lack of vulnerability assessments (Cloud) [Added]
T3118: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Stack Edge) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3119: Configure Azure Backup (Azure Stack Edge) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3120: Configure Azure Policy Support (Azure Stack Edge) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3121: Configure Data at Rest Encryption Using CMK (Azure Stack Edge) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3122: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Application Gateway) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3123: Configure Azure Policy Support (Azure Application Gateway) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3124: Configure Certificate Management in Azure Key Vault (Azure Application Gateway) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3125: Configure Data in Transit Encryption (Azure Application Gateway) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3126: Configure Network Security Group Support (Azure Application Gateway) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3127: Configure Azure Private Link (Azure Application Gateway) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3128: Configure Azure Resource Logs (Azure Application Gateway) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3129: Configure Azure AD Authentication Required for Data Plane Access (Azure Web PubSub) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3130: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Web PubSub) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3131: Configure Azure Policy Support (Azure Web PubSub) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3132: Configure Azure RBAC for Data Plane (Azure Web PubSub) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3133: Configure Conditional Access for Data Plane (Azure Web PubSub) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3134: Configure Disable Public Network Access (Azure Web PubSub) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3135: Configure Key Management in Azure Key Vault (Azure Web PubSub) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3136: Configure Managed Identities (Azure Web PubSub) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3137: Configure Azure Private Link (Azure Web PubSub) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3138: Configure Azure Resource Logs (Azure Web PubSub) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3139: Configure Service Principals (Azure Web PubSub) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3140: Configure Azure AD Authentication Required for Data Plane Access (Azure Container Apps) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3141: Configure Azure Policy Support (Azure Container Apps) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3142: Configure Data in Transit Encryption (Azure Container Apps) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3143: Configure Disable Public Network Access (Azure Container Apps) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3144: Configure Managed Identities (Azure Container Apps) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3145: Configure Network Security Group Support (Azure Container Apps) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3146: Configure Service Principals (Azure Container Apps) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3147: Configure Virtual Network Integration (Azure Container Apps) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3148: Configure Azure AD Authentication Required for Data Plane Access (Azure Purview) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3149: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Purview) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3150: Configure Azure Policy Support (Azure Purview) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3151: Configure Azure RBAC for Data Plane (Azure Purview) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3152: Configure Conditional Access for Data Plane (Azure Purview) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3153: Configure Disable Public Network Access (Azure Purview) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3154: Configure Key Management in Azure Key Vault (Azure Purview) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3155: Configure Managed Identities (Azure Purview) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3156: Configure Network Security Group Support (Azure Purview) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3157: Configure Azure Private Link (Azure Purview) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3158: Configure Azure Resource Logs (Azure Purview) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3159: Configure Service Principals (Azure Purview) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3160: Configure Virtual Network Integration (Azure Purview) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3161: Configure Azure AD Authentication Required for Data Plane Access (Azure VPN Gateway) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3162: Configure Azure Policy Support (Azure VPN Gateway) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3163: Configure Conditional Access for Data Plane (Azure VPN Gateway) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3164: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Virtual WAN) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3165: Configure Azure Policy Support (Azure Virtual WAN) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3166: Configure Data in Transit Encryption (Azure Virtual WAN) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3167: Configure Key Management in Azure Key Vault (Azure Virtual WAN) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3168: Configure Azure Resource Logs (Azure Virtual WAN) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3169: Configure Azure AD Authentication Required for Data Plane Access (Azure Site Recovery) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3170: Configure Azure Policy Support (Azure Site Recovery) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3171: Configure Azure RBAC for Data Plane (Azure Site Recovery) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3172: Configure Certificate Management in Azure Key Vault (Azure Site Recovery) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3173: Configure Data at Rest Encryption Using CMK (Azure Site Recovery) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3174: Configure Key Management in Azure Key Vault (Azure Site Recovery) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3175: Configure Azure Private Link (Azure Site Recovery) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3176: Configure Azure Resource Logs (Azure Site Recovery) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3177: Configure Service Principals (Azure Site Recovery) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3178: Configure Conditional Access for Data Plane (Azure Analysis Services) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3179: Configure Managed Identities (Azure Analysis Services) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3180: Configure Service Native Backup Capability (Azure Analysis Services) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3181: Configure Azure Resource Logs (Azure Analysis Services) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3182: Configure Service Principals (Azure Analysis Services) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3183: Configure Azure Policy Support (Azure Data Box) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3184: Configure Azure RBAC for Data Plane (Azure Data Box) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3185: Configure Customer Lockbox (Azure Data Box) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3186: Configure Data at Rest Encryption Using CMK (Azure Data Box) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3187: Configure Azure Policy Support (Azure Container Instances) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3188: Configure Azure RBAC for Data Plane (Azure Container Instances) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3189: Configure Conditional Access for Data Plane (Azure Container Instances) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3190: Configure Data at Rest Encryption Using CMK (Azure Container Instances) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3191: Configure Data at Rest Encryption Using Platform Keys (Azure Container Instances) [Added]
- P1810: Unprotected data at rest (Cloud) [Added]
T3192: Configure Key Management in Azure Key Vault (Azure Container Instances) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3193: Configure Managed Identities (Azure Container Instances) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3194: Configure Network Security Group Support (Azure Container Instances) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3195: Configure Azure Resource Logs (Azure Container Instances) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3196: Configure Virtual Network Integration (Azure Container Instances) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3197: Configure Azure Policy Support (Azure Arc) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3198: Configure Microsoft Defender for Service / Product Offering (Azure Arc) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3199: Configure Disable Public Network Access (Azure Arc) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3200: Configure Local Admin Accounts (Azure Arc) [Added]
- P1799: Excessive privileged access (Cloud) [Added]
T3201: Configure Local Authentication Methods for Data Plane Access (Azure Arc) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3202: Configure Azure Private Link (Azure Arc) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3203: Configure Service Principals (Azure Arc) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3204: Configure Azure AD Authentication Required for Data Plane Access (Azure Logic Apps) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3205: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Logic Apps) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3206: Configure Azure Policy Support (Azure Logic Apps) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3207: Configure Certificate Management in Azure Key Vault (Azure Logic Apps) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3208: Configure Customer Lockbox (Azure Logic Apps) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3209: Configure Data at Rest Encryption Using CMK (Azure Logic Apps) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3210: Configure Microsoft Defender for Service / Product Offering (Azure Logic Apps) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3211: Configure Disable Public Network Access (Azure Logic Apps) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3212: Configure Key Management in Azure Key Vault (Azure Logic Apps) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3213: Configure Local Authentication Methods for Data Plane Access (Azure Logic Apps) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3214: Configure Managed Identities (Azure Logic Apps) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3215: Configure Network Security Group Support (Azure Logic Apps) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3216: Configure Azure Private Link (Azure Logic Apps) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3217: Configure Azure Resource Logs (Azure Logic Apps) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3218: Configure Service Principals (Azure Logic Apps) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3219: Configure Virtual Network Integration (Azure Logic Apps) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3220: Configure Azure Policy Support (Azure Monitor) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3221: Configure Conditional Access for Data Plane (Azure Monitor) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3222: Configure Customer Lockbox (Azure Monitor) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3223: Configure Data at Rest Encryption Using CMK (Azure Monitor) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3224: Configure Data in Transit Encryption (Azure Monitor) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3225: Configure Disable Public Network Access (Azure Monitor) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3226: Configure Managed Identities (Azure Monitor) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3227: Configure Network Security Group Support (Azure Monitor) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3228: Configure Azure Private Link (Azure Monitor) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3229: Configure Service Principals (Azure Monitor) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3230: Configure Virtual Network Integration (Azure Monitor) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3231: Configure Azure AD Authentication Required for Data Plane Access (Azure App Configuration) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3232: Configure Azure Policy Support (Azure App Configuration) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3233: Configure Azure RBAC for Data Plane (Azure App Configuration) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3234: Configure Conditional Access for Data Plane (Azure App Configuration) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3235: Configure Data at Rest Encryption Using CMK (Azure App Configuration) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3236: Configure Disable Public Network Access (Azure App Configuration) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3237: Configure Managed Identities (Azure App Configuration) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3238: Configure Network Security Group Support (Azure App Configuration) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3239: Configure Azure Private Link (Azure App Configuration) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3240: Configure Azure Resource Logs (Azure App Configuration) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3241: Configure Service Principals (Azure App Configuration) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3242: Configure Virtual Network Integration (Azure App Configuration) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3243: Configure Azure AD Authentication Required for Data Plane Access (Azure API Management) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3244: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure API Management) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3245: Configure Azure Policy Support (Azure API Management) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3246: Configure Azure RBAC for Data Plane (Azure API Management) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3247: Configure Certificate Management in Azure Key Vault (Azure API Management) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3248: Configure Customer Lockbox (Azure API Management) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3249: Configure Disable Public Network Access (Azure API Management) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3250: Configure Key Management in Azure Key Vault (Azure API Management) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3251: Configure Local Admin Accounts (Azure API Management) [Added]
- P1799: Excessive privileged access (Cloud) [Added]
T3252: Configure Local Authentication Methods for Data Plane Access (Azure API Management) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3253: Configure Managed Identities (Azure API Management) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3254: Configure Service Native Backup Capability (Azure API Management) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3255: Configure Network Security Group Support (Azure API Management) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3256: Configure Azure Private Link (Azure API Management) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3257: Configure Azure Resource Logs (Azure API Management) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3258: Configure Service Principals (Azure API Management) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3259: Configure Virtual Network Integration (Azure API Management) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3260: Configure Azure AD Authentication Required for Data Plane Access (Azure Windows Virtual Machines) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3261: Configure Microsoft Defender for Cloud - Adaptive Application Controls (Azure Windows Virtual Machines) [Added]
- P1819: Uncontrolled execution of unauthorized software (Cloud) [Added]
T3262: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Windows Virtual Machines) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3263: Configure Anti-Malware Solution (Azure Windows Virtual Machines) [Added]
- P1842: Outdated malware protection mechanisms (Cloud) [Added]
T3264: Configure Anti-Malware Solution Health Monitoring (Azure Windows Virtual Machines) [Added]
- P1843: Outdated anti-malware signatures (Cloud) [Added]
T3265: Configure Azure Automation State Configuration (Azure Windows Virtual Machines) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3266: Configure Azure Automation Update Management (Azure Windows Virtual Machines) [Added]
- P1839: Unpatched vulnerabilities in cloud resources (Cloud) [Added]
T3267: Configure Azure Backup (Azure Windows Virtual Machines) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3268: Configure Azure Policy Guest Configuration Agent (Azure Windows Virtual Machines) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3269: Configure Azure Policy Support (Azure Windows Virtual Machines) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3270: Configure Azure RBAC for Data Plane (Azure Windows Virtual Machines) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3271: Configure Conditional Access for Data Plane (Azure Windows Virtual Machines) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3272: Configure Customer Lockbox (Azure Windows Virtual Machines) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3273: Configure Custom VM Images (Azure Windows Virtual Machines) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3274: Configure Data at Rest Encryption Using CMK (Azure Windows Virtual Machines) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3275: Configure Data in Transit Encryption (Azure Windows Virtual Machines) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3276: Configure Microsoft Defender for Service / Product Offering (Azure Windows Virtual Machines) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3277: Configure Disable Public Network Access (Azure Windows Virtual Machines) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3278: Configure EDR Solution (Azure Windows Virtual Machines) [Added]
- P1841: Unmonitored endpoint activity (Cloud) [Added]
T3279: Configure Key Management in Azure Key Vault (Azure Windows Virtual Machines) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3280: Configure Managed Identities (Azure Windows Virtual Machines) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3281: Configure Network Security Group Support (Azure Windows Virtual Machines) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3282: Configure Azure Resource Logs (Azure Windows Virtual Machines) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3283: Configure Service Principals (Azure Windows Virtual Machines) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3284: Configure Vulnerability Assessment using Microsoft Defender (Azure Windows Virtual Machines) [Added]
- P1838: Lack of vulnerability assessments (Cloud) [Added]
T3285: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Front Door) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3286: Configure Certificate Management in Azure Key Vault (Azure Front Door) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3287: Configure Key Management in Azure Key Vault (Azure Front Door) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3288: Configure Azure Private Link (Azure Front Door) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3289: Configure Azure Resource Logs (Azure Front Door) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3290: Configure Azure AD Authentication Required for Data Plane Access (Azure Data Factory) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3291: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Data Factory) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3292: Configure Azure Policy Support (Azure Data Factory) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3293: Configure Certificate Management in Azure Key Vault (Azure Data Factory) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3294: Configure Conditional Access for Data Plane (Azure Data Factory) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3295: Configure Customer Lockbox (Azure Data Factory) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3296: Configure Data at Rest Encryption Using CMK (Azure Data Factory) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3297: Configure Disable Public Network Access (Azure Data Factory) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3298: Configure Key Management in Azure Key Vault (Azure Data Factory) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3299: Configure Local Authentication Methods for Data Plane Access (Azure Data Factory) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3300: Configure Managed Identities (Azure Data Factory) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3301: Configure Service Native Backup Capability (Azure Data Factory) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3302: Configure Network Security Group Support (Azure Data Factory) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3303: Configure Azure Private Link (Azure Data Factory) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3304: Configure Sensitive Data Discovery and Classification (Azure Data Factory) [Added]
- P1807: Unidentified and unprotected sensitive data (Cloud) [Added]
T3305: Configure Service Principals (Azure Data Factory) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3306: Configure Virtual Network Integration (Azure Data Factory) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3307: Configure Azure AD Authentication Required for Data Plane Access (Azure Remote Rendering) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3308: Configure Azure RBAC for Data Plane (Azure Remote Rendering) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3309: Configure Service Principals (Azure Remote Rendering) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3310: Configure Azure Policy Support (Azure DDoS Protection) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3311: Configure Azure Resource Logs (Azure DDoS Protection) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3312: Configure Azure Policy Support (Azure Traffic Manager) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3313: Configure Azure Resource Logs (Azure Traffic Manager) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3314: Configure Azure Policy Support (Azure DNS) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3315: Configure Azure RBAC for Data Plane (Azure DNS) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3316: Configure Microsoft Defender for Service / Product Offering (Azure DNS) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3317: Configure Azure Resource Logs (Azure DNS) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3318: Configure Azure Policy Support (Azure Container Registry) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3319: Configure Customer Lockbox (Azure Container Registry) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3320: Configure Data at Rest Encryption Using CMK (Azure Container Registry) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3321: Configure Data Leakage/Loss Prevention (Azure Container Registry) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T3322: Configure Microsoft Defender for Service / Product Offering (Azure Container Registry) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3323: Configure Disable Public Network Access (Azure Container Registry) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3324: Configure Local Admin Accounts (Azure Container Registry) [Added]
- P1799: Excessive privileged access (Cloud) [Added]
T3325: Configure Local Authentication Methods for Data Plane Access (Azure Container Registry) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3326: Configure Managed Identities (Azure Container Registry) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3327: Configure Azure Private Link (Azure Container Registry) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3328: Configure Azure Resource Logs (Azure Container Registry) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3329: Configure Service Principals (Azure Container Registry) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3330: Configure Azure Policy Support (Azure Data Share) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3331: Configure Azure Resource Logs (Azure Data Share) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3332: Configure Azure AD Authentication Required for Data Plane Access (Azure Event Hubs) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3333: Configure Azure Policy Support (Azure Event Hubs) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3334: Configure Azure RBAC for Data Plane (Azure Event Hubs) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3335: Configure Conditional Access for Data Plane (Azure Event Hubs) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3336: Configure Data at Rest Encryption Using CMK (Azure Event Hubs) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3337: Configure Key Management in Azure Key Vault (Azure Event Hubs) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3338: Configure Managed Identities (Azure Event Hubs) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3339: Configure Network Security Group Support (Azure Event Hubs) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3340: Configure Azure Private Link (Azure Event Hubs) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3341: Configure Azure Resource Logs (Azure Event Hubs) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3342: Configure Service Principals (Azure Event Hubs) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3343: Configure Virtual Network Integration (Azure Event Hubs) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3344: Configure Azure AD Authentication Required for Data Plane Access (Azure Network Watcher) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3345: Configure Azure Policy Support (Azure Network Watcher) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3346: Configure Azure RBAC for Data Plane (Azure Network Watcher) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3347: Configure Azure Policy Support (Azure Defender for Cloud) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3348: Configure Azure RBAC for Data Plane (Azure Defender for Cloud) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3349: Configure Conditional Access for Data Plane (Azure Defender for Cloud) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3350: Configure Data at Rest Encryption Using CMK (Azure Defender for Cloud) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3351: Configure Key Management in Azure Key Vault (Azure Defender for Cloud) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3352: Configure Managed Identities (Azure Defender for Cloud) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3353: Configure Service Principals (Azure Defender for Cloud) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3354: Configure Azure Policy Support (Azure Cache for Redis) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3355: Configure Network Security Group Support (Azure Cache for Redis) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3356: Configure Azure Private Link (Azure Cache for Redis) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3357: Configure Azure Resource Logs (Azure Cache for Redis) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3358: Configure Virtual Network Integration (Azure Cache for Redis) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3359: Configure Azure RBAC for Data Plane (Azure Database Migration Service) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3360: Configure Network Security Group Support (Azure Database Migration Service) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3361: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Machine Learning) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3362: Configure Anti-Malware Solution (Azure Machine Learning) [Added]
- P1842: Outdated malware protection mechanisms (Cloud) [Added]
T3363: Configure Anti-Malware Solution Health Monitoring (Azure Machine Learning) [Added]
- P1843: Outdated anti-malware signatures (Cloud) [Added]
T3364: Configure Azure Policy Guest Configuration Agent (Azure Machine Learning) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3365: Configure Azure Policy Support (Azure Machine Learning) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3366: Configure Azure RBAC for Data Plane (Azure Machine Learning) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3367: Configure Conditional Access for Data Plane (Azure Machine Learning) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3368: Configure Custom Containers Images (Azure Machine Learning) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3369: Configure Data at Rest Encryption Using CMK (Azure Machine Learning) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3370: Configure Data Leakage/Loss Prevention (Azure Machine Learning) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T3371: Configure Disable Public Network Access (Azure Machine Learning) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3372: Configure Key Management in Azure Key Vault (Azure Machine Learning) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3373: Configure Managed Identities (Azure Machine Learning) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3374: Configure Network Security Group Support (Azure Machine Learning) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3375: Configure Azure Private Link (Azure Machine Learning) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3376: Configure Azure Resource Logs (Azure Machine Learning) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3377: Configure Sensitive Data Discovery and Classification (Azure Machine Learning) [Added]
- P1807: Unidentified and unprotected sensitive data (Cloud) [Added]
T3378: Configure Service Principals (Azure Machine Learning) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3379: Configure Virtual Network Integration (Azure Machine Learning) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3380: Configure Certificate Management in Azure Key Vault (Azure Automation) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3381: Configure Data at Rest Encryption Using CMK (Azure Automation) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3382: Configure Disable Public Network Access (Azure Automation) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3383: Configure Key Management in Azure Key Vault (Azure Automation) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3384: Configure Local Authentication Methods for Data Plane Access (Azure Automation) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3385: Configure Azure Private Link (Azure Automation) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3386: Configure Azure Resource Logs (Azure Automation) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3387: Configure Virtual Network Integration (Azure Automation) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3388: Configure Azure AD Authentication Required for Data Plane Access (Azure Linux Virtual Machines) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3389: Configure Microsoft Defender for Cloud - Adaptive Application Controls (Azure Linux Virtual Machines) [Added]
- P1819: Uncontrolled execution of unauthorized software (Cloud) [Added]
T3390: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Linux Virtual Machines) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3391: Configure Anti-Malware Solution (Azure Linux Virtual Machines) [Added]
- P1842: Outdated malware protection mechanisms (Cloud) [Added]
T3392: Configure Anti-Malware Solution Health Monitoring (Azure Linux Virtual Machines) [Added]
- P1843: Outdated anti-malware signatures (Cloud) [Added]
T3393: Configure Azure Automation State Configuration (Azure Linux Virtual Machines) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3394: Configure Azure Automation Update Management (Azure Linux Virtual Machines) [Added]
- P1839: Unpatched vulnerabilities in cloud resources (Cloud) [Added]
T3395: Configure Azure Backup (Azure Linux Virtual Machines) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3396: Configure Azure Policy Guest Configuration Agent (Azure Linux Virtual Machines) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3397: Configure Azure Policy Support (Azure Linux Virtual Machines) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3398: Configure Azure RBAC for Data Plane (Azure Linux Virtual Machines) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3399: Configure Conditional Access for Data Plane (Azure Linux Virtual Machines) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3400: Configure Customer Lockbox (Azure Linux Virtual Machines) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3401: Configure Custom VM Images (Azure Linux Virtual Machines) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3402: Configure Data at Rest Encryption Using CMK (Azure Linux Virtual Machines) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3403: Configure Data in Transit Encryption (Azure Linux Virtual Machines) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3404: Configure Microsoft Defender for Service / Product Offering (Azure Linux Virtual Machines) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3405: Configure Disable Public Network Access (Azure Linux Virtual Machines) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3406: Configure EDR Solution (Azure Linux Virtual Machines) [Added]
- P1841: Unmonitored endpoint activity (Cloud) [Added]
T3407: Configure Key Management in Azure Key Vault (Azure Linux Virtual Machines) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3408: Configure Managed Identities (Azure Linux Virtual Machines) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3409: Configure Network Security Group Support (Azure Linux Virtual Machines) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3410: Configure Azure Resource Logs (Azure Linux Virtual Machines) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3411: Configure Service Principals (Azure Linux Virtual Machines) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3412: Configure Vulnerability Assessment using Microsoft Defender (Azure Linux Virtual Machines) [Added]
- P1838: Lack of vulnerability assessments (Cloud) [Added]
T3413: Configure Azure Policy Support (Azure Service Bus) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3414: Configure Azure RBAC for Data Plane (Azure Service Bus) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3415: Configure Conditional Access for Data Plane (Azure Service Bus) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3416: Configure Data at Rest Encryption Using CMK (Azure Service Bus) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3417: Configure Disable Public Network Access (Azure Service Bus) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3418: Configure Key Management in Azure Key Vault (Azure Service Bus) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3419: Configure Managed Identities (Azure Service Bus) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3420: Configure Network Security Group Support (Azure Service Bus) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3421: Configure Azure Private Link (Azure Service Bus) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3422: Configure Azure Resource Logs (Azure Service Bus) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3423: Configure Service Principals (Azure Service Bus) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3424: Configure Virtual Network Integration (Azure Service Bus) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3425: Configure Azure Policy Support (Azure SignalR Service) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3426: Configure Certificate Management in Azure Key Vault (Azure SignalR Service) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3427: Configure Disable Public Network Access (Azure SignalR Service) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3428: Configure Azure AD Authentication Required for Data Plane Access (Azure AI Bot Service) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3429: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure AI Bot Service) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3430: Configure Azure Policy Support (Azure AI Bot Service) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3431: Configure Data at Rest Encryption Using CMK (Azure AI Bot Service) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3432: Configure Disable Public Network Access (Azure AI Bot Service) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3433: Configure Key Management in Azure Key Vault (Azure AI Bot Service) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3434: Configure Local Authentication Methods for Data Plane Access (Azure AI Bot Service) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3435: Configure Managed Identities (Azure AI Bot Service) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3436: Configure Network Security Group Support (Azure AI Bot Service) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3437: Configure Azure Private Link (Azure AI Bot Service) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3438: Configure Azure Resource Logs (Azure AI Bot Service) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3439: Configure Service Principals (Azure AI Bot Service) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3440: Configure Virtual Network Integration (Azure AI Bot Service) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3441: Configure Azure Policy Support (Azure HPC Cache) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3442: Configure Data at Rest Encryption Using CMK (Azure HPC Cache) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3443: Configure Data in Transit Encryption (Azure HPC Cache) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3444: Configure Key Management in Azure Key Vault (Azure HPC Cache) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3445: Configure Managed Identities (Azure HPC Cache) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3446: Configure Network Security Group Support (Azure HPC Cache) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3447: Configure Azure AD Authentication Required for Data Plane Access (Azure Stream Analytics) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3448: Configure Azure Policy Support (Azure Stream Analytics) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3449: Configure Data at Rest Encryption Using CMK (Azure Stream Analytics) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3450: Configure Managed Identities (Azure Stream Analytics) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3451: Configure Service Native Backup Capability (Azure Stream Analytics) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3452: Configure Azure Private Link (Azure Stream Analytics) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3453: Configure Azure Resource Logs (Azure Stream Analytics) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3454: Configure Service Principals (Azure Stream Analytics) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3455: Configure Azure AD Authentication Required for Data Plane Access (Azure Virtual Machine Scale Sets) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3456: Configure Microsoft Defender for Cloud - Adaptive Application Controls (Azure Virtual Machine Scale Sets) [Added]
- P1819: Uncontrolled execution of unauthorized software (Cloud) [Added]
T3457: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Virtual Machine Scale Sets) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3458: Configure Anti-Malware Solution (Azure Virtual Machine Scale Sets) [Added]
- P1842: Outdated malware protection mechanisms (Cloud) [Added]
T3459: Configure Anti-Malware Solution Health Monitoring (Azure Virtual Machine Scale Sets) [Added]
- P1843: Outdated anti-malware signatures (Cloud) [Added]
T3460: Configure Azure Automation State Configuration (Azure Virtual Machine Scale Sets) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3461: Configure Azure Backup (Azure Virtual Machine Scale Sets) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3462: Configure Azure Policy Guest Configuration Agent (Azure Virtual Machine Scale Sets) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3463: Configure Azure Policy Support (Azure Virtual Machine Scale Sets) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3464: Configure Azure RBAC for Data Plane (Azure Virtual Machine Scale Sets) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3465: Configure Customer Lockbox (Azure Virtual Machine Scale Sets) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3466: Configure Custom VM Images (Azure Virtual Machine Scale Sets) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3467: Configure Data at Rest Encryption Using CMK (Azure Virtual Machine Scale Sets) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3468: Configure Data in Transit Encryption (Azure Virtual Machine Scale Sets) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3469: Configure Microsoft Defender for Service / Product Offering (Azure Virtual Machine Scale Sets) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3470: Configure Disable Public Network Access (Azure Virtual Machine Scale Sets) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3471: Configure EDR Solution (Azure Virtual Machine Scale Sets) [Added]
- P1841: Unmonitored endpoint activity (Cloud) [Added]
T3472: Configure Key Management in Azure Key Vault (Azure Virtual Machine Scale Sets) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3473: Configure Managed Identities (Azure Virtual Machine Scale Sets) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3474: Configure Network Security Group Support (Azure Virtual Machine Scale Sets) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3475: Configure Azure Resource Logs (Azure Virtual Machine Scale Sets) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3476: Configure Service Principals (Azure Virtual Machine Scale Sets) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3477: Configure Vulnerability Assessment using Microsoft Defender (Azure Virtual Machine Scale Sets) [Added]
- P1838: Lack of vulnerability assessments (Cloud) [Added]
T3478: Configure Azure Backup (Azure VMware Solution) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3479: Configure Microsoft Defender for Service / Product Offering (Azure VMware Solution) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3480: Configure Local Admin Accounts (Azure VMware Solution) [Added]
- P1799: Excessive privileged access (Cloud) [Added]
T3481: Configure Local Authentication Methods for Data Plane Access (Azure VMware Solution) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3482: Configure Service Native Backup Capability (Azure VMware Solution) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3483: Configure Network Security Group Support (Azure VMware Solution) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3484: Configure Virtual Network Integration (Azure VMware Solution) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3485: Configure Azure Policy Support (Azure Firewall) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3486: Configure Certificate Management in Azure Key Vault (Azure Firewall) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3487: Configure Data in Transit Encryption (Azure Firewall) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3488: Configure Azure Resource Logs (Azure Firewall) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3489: Configure Data in Transit Encryption (Azure Active Directory External Identities) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3490: Configure Local Authentication Methods for Data Plane Access (Azure Active Directory External Identities) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3491: Configure Network Security Group Support (Azure Active Directory External Identities) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3492: Configure Azure Resource Logs (Azure Active Directory External Identities) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3493: Configure Azure AD Authentication Required for Data Plane Access (Azure Spatial Anchors) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3494: Configure Azure Policy Support (Azure Spatial Anchors) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3495: Configure Azure RBAC for Data Plane (Azure Spatial Anchors) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3496: Configure Service Principals (Azure Spatial Anchors) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3497: Configure Azure AD Authentication Required for Data Plane Access (Azure Red Hat OpenShift) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3498: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Red Hat OpenShift) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3499: Configure Azure Policy Support (Azure Red Hat OpenShift) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3500: Configure Customer Lockbox (Azure Red Hat OpenShift) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3501: Configure Data at Rest Encryption Using CMK (Azure Red Hat OpenShift) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3502: Configure Disable Public Network Access (Azure Red Hat OpenShift) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3503: Configure Key Management in Azure Key Vault (Azure Red Hat OpenShift) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3504: Configure Service Native Backup Capability (Azure Red Hat OpenShift) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3505: Configure Azure Private Link (Azure Red Hat OpenShift) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3506: Configure Azure Resource Logs (Azure Red Hat OpenShift) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3507: Configure Service Principals (Azure Red Hat OpenShift) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3508: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Database for PostgreSQL) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3509: Configure Certificate Management in Azure Key Vault (Azure Database for PostgreSQL) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3510: Configure Conditional Access for Data Plane (Azure Database for PostgreSQL) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3511: Configure Data at Rest Encryption Using CMK (Azure Database for PostgreSQL) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3512: Configure Disable Public Network Access (Azure Database for PostgreSQL) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3513: Configure Key Management in Azure Key Vault (Azure Database for PostgreSQL) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3514: Configure Managed Identities (Azure Database for PostgreSQL) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3515: Configure Network Security Group Support (Azure Database for PostgreSQL) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3516: Configure Service Principals (Azure Database for PostgreSQL) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3517: Configure Virtual Network Integration (Azure Database for PostgreSQL) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3518: Configure Azure Policy Support (Azure Web Application Firewall) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3519: Configure Certificate Management in Azure Key Vault (Azure Web Application Firewall) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3520: Configure Data in Transit Encryption (Azure Web Application Firewall) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3521: Configure Microsoft Defender for Service / Product Offering (Azure Web Application Firewall) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3522: Configure Disable Public Network Access (Azure Web Application Firewall) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3523: Configure Network Security Group Support (Azure Web Application Firewall) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3524: Configure Azure Private Link (Azure Web Application Firewall) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3525: Configure Azure Resource Logs (Azure Web Application Firewall) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3526: Configure Sensitive Data Discovery and Classification (Azure Web Application Firewall) [Added]
- P1807: Unidentified and unprotected sensitive data (Cloud) [Added]
T3527: Configure Azure Policy Support (Azure Migrate) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3528: Configure Data at Rest Encryption Using CMK (Azure Migrate) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3529: Configure Disable Public Network Access (Azure Migrate) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3530: Configure Managed Identities (Azure Migrate) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3531: Configure Azure Private Link (Azure Migrate) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3532: Configure Service Principals (Azure Migrate) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3533: Configure Azure RBAC for Data Plane (Azure Sentinel) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3534: Configure Conditional Access for Data Plane (Azure Sentinel) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3535: Configure Data at Rest Encryption Using CMK (Azure Sentinel) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3536: Configure Data Leakage/Loss Prevention (Azure Sentinel) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T3537: Configure Key Management in Azure Key Vault (Azure Sentinel) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3538: Configure Managed Identities (Azure Sentinel) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3539: Configure Azure Resource Logs (Azure Sentinel) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3540: Configure Sensitive Data Discovery and Classification (Azure Sentinel) [Added]
- P1807: Unidentified and unprotected sensitive data (Cloud) [Added]
T3541: Configure Service Principals (Azure Sentinel) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3542: Configure Azure Policy Support (Azure Managed Instance for Apache Cassandra) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3543: Configure Data at Rest Encryption Using CMK (Azure Managed Instance for Apache Cassandra) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3544: Configure Key Management in Azure Key Vault (Azure Managed Instance for Apache Cassandra) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3545: Configure Local Authentication Methods for Data Plane Access (Azure Managed Instance for Apache Cassandra) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3546: Configure Azure Resource Logs (Azure Managed Instance for Apache Cassandra) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3547: Configure Azure Policy Support (Azure Managed Lustre) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3548: Configure Data at Rest Encryption Using CMK (Azure Managed Lustre) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3549: Configure Key Management in Azure Key Vault (Azure Managed Lustre) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3550: Configure Azure Resource Logs (Azure Managed Lustre) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3551: Configure Azure AD Authentication Required for Data Plane Access (Azure Communication Services) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3552: Configure Azure RBAC for Data Plane (Azure Communication Services) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3553: Configure Azure Resource Logs (Azure Communication Services) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3554: Configure Service Principals (Azure Communication Services) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3555: Configure Azure AD Authentication Required for Data Plane Access (Azure Data Explorer) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3556: Configure Azure Policy Support (Azure Data Explorer) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3557: Configure Conditional Access for Data Plane (Azure Data Explorer) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3558: Configure Data at Rest Encryption Using CMK (Azure Data Explorer) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3559: Configure Data Leakage/Loss Prevention (Azure Data Explorer) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T3560: Configure Disable Public Network Access (Azure Data Explorer) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3561: Configure Network Security Group Support (Azure Data Explorer) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3562: Configure Azure Private Link (Azure Data Explorer) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3563: Configure Azure Resource Logs (Azure Data Explorer) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3564: Configure Sensitive Data Discovery and Classification (Azure Data Explorer) [Added]
- P1807: Unidentified and unprotected sensitive data (Cloud) [Added]
T3565: Configure Virtual Network Integration (Azure Data Explorer) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3566: Configure Local Authentication Methods for Data Plane Access (Azure Dedicated HSM) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3567: Configure Azure Policy Support (Azure Database for MariaDB) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3568: Configure Microsoft Defender for Service / Product Offering (Azure Database for MariaDB) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3569: Configure Network Security Group Support (Azure Database for MariaDB) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3570: Configure Azure Private Link (Azure Database for MariaDB) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3571: Configure Azure AD Authentication Required for Data Plane Access (Azure Event Grid) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3572: Configure Azure Policy Support (Azure Event Grid) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3573: Configure Azure RBAC for Data Plane (Azure Event Grid) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3574: Configure Disable Public Network Access (Azure Event Grid) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3575: Configure Managed Identities (Azure Event Grid) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3576: Configure Network Security Group Support (Azure Event Grid) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3577: Configure Azure Private Link (Azure Event Grid) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3578: Configure Azure Resource Logs (Azure Event Grid) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3579: Configure Service Principals (Azure Event Grid) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3580: Configure Azure RBAC for Data Plane (Azure Cost Management) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3581: Configure Conditional Access for Data Plane (Azure Cost Management) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3582: Configure Service Principals (Azure Cost Management) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3583: Configure Azure Policy Support (Azure IoT Hub) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3584: Configure Azure RBAC for Data Plane (Azure IoT Hub) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3585: Configure Conditional Access for Data Plane (Azure IoT Hub) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3586: Configure Disable Public Network Access (Azure IoT Hub) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3587: Configure Key Management in Azure Key Vault (Azure IoT Hub) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3588: Configure Local Authentication Methods for Data Plane Access (Azure IoT Hub) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3589: Configure Managed Identities (Azure IoT Hub) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3590: Configure Azure Private Link (Azure IoT Hub) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3591: Configure Azure Resource Logs (Azure IoT Hub) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3592: Configure Service Principals (Azure IoT Hub) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3593: Configure Azure AD Authentication Required for Data Plane Access (Azure Cosmos DB) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3594: Configure Azure Policy Support (Azure Cosmos DB) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3595: Configure Azure RBAC for Data Plane (Azure Cosmos DB) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3596: Configure Conditional Access for Data Plane (Azure Cosmos DB) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3597: Configure Data at Rest Encryption Using CMK (Azure Cosmos DB) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3598: Configure Data Leakage/Loss Prevention (Azure Cosmos DB) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T3599: Configure Microsoft Defender for Service / Product Offering (Azure Cosmos DB) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3600: Configure Disable Public Network Access (Azure Cosmos DB) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3601: Configure Key Management in Azure Key Vault (Azure Cosmos DB) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3602: Configure Managed Identities (Azure Cosmos DB) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3603: Configure Azure Private Link (Azure Cosmos DB) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3604: Configure Azure Resource Logs (Azure Cosmos DB) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3605: Configure Sensitive Data Discovery and Classification (Azure Cosmos DB) [Added]
- P1807: Unidentified and unprotected sensitive data (Cloud) [Added]
T3606: Configure Service Principals (Azure Cosmos DB) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3607: Configure Virtual Network Integration (Azure Cosmos DB) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3608: Configure Azure AD Authentication Required for Data Plane Access (Azure Synapse Analytics) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3609: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Synapse Analytics) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3610: Configure Azure Policy Support (Azure Synapse Analytics) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3611: Configure Conditional Access for Data Plane (Azure Synapse Analytics) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3612: Configure Customer Lockbox (Azure Synapse Analytics) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3613: Configure Data at Rest Encryption Using CMK (Azure Synapse Analytics) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3614: Configure Data Leakage/Loss Prevention (Azure Synapse Analytics) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T3615: Configure Microsoft Defender for Service / Product Offering (Azure Synapse Analytics) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3616: Configure Disable Public Network Access (Azure Synapse Analytics) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3617: Configure Key Management in Azure Key Vault (Azure Synapse Analytics) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3618: Configure Local Admin Accounts (Azure Synapse Analytics) [Added]
- P1799: Excessive privileged access (Cloud) [Added]
T3619: Configure Local Authentication Methods for Data Plane Access (Azure Synapse Analytics) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3620: Configure Service Native Backup Capability (Azure Synapse Analytics) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3621: Configure Network Security Group Support (Azure Synapse Analytics) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3622: Configure Azure Private Link (Azure Synapse Analytics) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3623: Configure Azure Resource Logs (Azure Synapse Analytics) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3624: Configure Sensitive Data Discovery and Classification (Azure Synapse Analytics) [Added]
- P1807: Unidentified and unprotected sensitive data (Cloud) [Added]
T3625: Configure Virtual Network Integration (Azure Synapse Analytics) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3626: Configure Azure Policy Support (Azure Resource Manager) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3627: Configure Microsoft Defender for Service / Product Offering (Azure Resource Manager) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3628: Configure Azure Private Link (Azure Resource Manager) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3629: Configure Azure Resource Logs (Azure Resource Manager) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3630: Configure Azure AD Authentication Required for Data Plane Access (Azure App Service) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3631: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure App Service) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3632: Configure Azure Backup (Azure App Service) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3633: Configure Azure Policy Support (Azure App Service) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3634: Configure Certificate Management in Azure Key Vault (Azure App Service) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3635: Configure Conditional Access for Data Plane (Azure App Service) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3636: Configure Customer Lockbox (Azure App Service) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3637: Configure Data at Rest Encryption Using CMK (Azure App Service) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3638: Configure Data in Transit Encryption (Azure App Service) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3639: Configure Microsoft Defender for Service / Product Offering (Azure App Service) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3640: Configure Disable Public Network Access (Azure App Service) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3641: Configure Key Management in Azure Key Vault (Azure App Service) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3642: Configure Local Authentication Methods for Data Plane Access (Azure App Service) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3643: Configure Managed Identities (Azure App Service) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3644: Configure Azure Private Link (Azure App Service) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3645: Configure Azure Private Link (Azure App Service) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3646: Configure Azure Resource Logs (Azure App Service) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3647: Configure Service Principals (Azure App Service) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3648: Configure Virtual Network Integration (Azure App Service) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3649: Configure Azure Policy Support (Azure NetApp Files) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3650: Configure Data in Transit Encryption (Azure NetApp Files) [Added]
- P1809: Unprotected data in transit (Cloud) [Added]
T3651: Configure Service Native Backup Capability (Azure NetApp Files) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3652: Configure Network Security Group Support (Azure NetApp Files) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3653: Configure Virtual Network Integration (Azure NetApp Files) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3654: Configure Azure Policy Support (Azure Lighthouse) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3655: Configure Managed Identities (Azure Policy) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3656: Configure Virtual Network Integration (Azure Cloud Shell) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3657: Configure Service Native Backup Capability (Azure Notification Hubs) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3658: Configure Azure Resource Logs (Azure Notification Hubs) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3659: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure OpenAI Service) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3660: Configure Azure Policy Support (Azure OpenAI Service) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3661: Configure Azure RBAC for Data Plane (Azure OpenAI Service) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3662: Configure Conditional Access for Data Plane (Azure OpenAI Service) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3663: Configure Customer Lockbox (Azure OpenAI Service) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3664: Configure Data at Rest Encryption Using CMK (Azure OpenAI Service) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3665: Configure Data Leakage/Loss Prevention (Azure OpenAI Service) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T3666: Configure Disable Public Network Access (Azure OpenAI Service) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3667: Configure Key Management in Azure Key Vault (Azure OpenAI Service) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3668: Configure Local Authentication Methods for Data Plane Access (Azure OpenAI Service) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3669: Configure Managed Identities (Azure OpenAI Service) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3670: Configure Azure Private Link (Azure OpenAI Service) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3671: Configure Azure Resource Logs (Azure OpenAI Service) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3672: Configure Service Principals (Azure OpenAI Service) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3673: Configure Azure AD Authentication Required for Data Plane Access (Azure Batch) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3674: Configure Azure Policy Support (Azure Batch) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3675: Configure Azure RBAC for Data Plane (Azure Batch) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3676: Configure Certificate Management in Azure Key Vault (Azure Batch) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3677: Configure Custom Containers Images (Azure Batch) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3678: Configure Custom VM Images (Azure Batch) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3679: Configure Data at Rest Encryption Using CMK (Azure Batch) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3680: Configure Disable Public Network Access (Azure Batch) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3681: Configure Key Management in Azure Key Vault (Azure Batch) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3682: Configure Local Authentication Methods for Data Plane Access (Azure Batch) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3683: Configure Managed Identities (Azure Batch) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3684: Configure Azure Private Link (Azure Batch) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3685: Configure Azure Resource Logs (Azure Batch) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3686: Configure Service Principals (Azure Batch) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3687: Configure Virtual Network Integration (Azure Batch) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3688: Configure Azure AD Authentication Required for Data Plane Access (Azure SQL) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3689: Configure Azure Policy Support (Azure SQL) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3690: Configure Conditional Access for Data Plane (Azure SQL) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3691: Configure Customer Lockbox (Azure SQL) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3692: Configure Data at Rest Encryption Using CMK (Azure SQL) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3693: Configure Microsoft Defender for Service / Product Offering (Azure SQL) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3694: Configure Key Management in Azure Key Vault (Azure SQL) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3695: Configure Local Authentication Methods for Data Plane Access (Azure SQL) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3696: Configure Managed Identities (Azure SQL) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3697: Configure Network Security Group Support (Azure SQL) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3698: Configure Azure Private Link (Azure SQL) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3699: Configure Azure Resource Logs (Azure SQL) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3700: Configure Virtual Network Integration (Azure SQL) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3701: Configure Azure RBAC for Data Plane (Azure Attestation) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3702: Configure Azure Resource Logs (Azure Attestation) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3703: Configure Data at Rest Encryption Using CMK (Azure Communications Gateway) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3704: Configure Key Management in Azure Key Vault (Azure Communications Gateway) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3705: Configure Azure Policy Support (Azure NAT Gateway) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3706: Configure Virtual Network Integration (Azure NAT Gateway) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3707: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Backup) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3708: Configure Certificate Management in Azure Key Vault (Azure Backup) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3709: Configure Data at Rest Encryption Using CMK (Azure Backup) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3710: Configure Data Leakage/Loss Prevention (Azure Backup) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T3711: Configure Disable Public Network Access (Azure Backup) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3712: Configure Key Management in Azure Key Vault (Azure Backup) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3713: Configure Azure Private Link (Azure Backup) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3714: Configure Azure Resource Logs (Azure Backup) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3715: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Information Protection) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3716: Configure Certificate Management in Azure Key Vault (Azure Information Protection) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3717: Configure Conditional Access for Data Plane (Azure Information Protection) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3718: Configure Data at Rest Encryption Using CMK (Azure Information Protection) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3719: Configure Data Leakage/Loss Prevention (Azure Information Protection) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T3720: Configure Key Management in Azure Key Vault (Azure Information Protection) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3721: Configure Local Admin Accounts (Azure Information Protection) [Added]
- P1799: Excessive privileged access (Cloud) [Added]
T3722: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Storage) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3723: Configure Azure Backup (Azure Storage) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3724: Configure Azure Policy Support (Azure Storage) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3725: Configure Azure RBAC for Data Plane (Azure Storage) [Added]
- P1805: Overly broad access privileges (Cloud) [Added]
T3726: Configure Conditional Access for Data Plane (Azure Storage) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3727: Configure Customer Lockbox (Azure Storage) [Added]
- P1806: Uncontrolled vendor access (Cloud) [Added]
T3728: Configure Data at Rest Encryption Using CMK (Azure Storage) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3729: Configure Data Leakage/Loss Prevention (Azure Storage) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T3730: Configure Microsoft Defender for Service / Product Offering (Azure Storage) [Added]
- P1820: Inadequate threat detection and alerting (Cloud) [Added]
T3731: Configure Disable Public Network Access (Azure Storage) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3732: Configure Key Management in Azure Key Vault (Azure Storage) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3733: Configure Local Authentication Methods for Data Plane Access (Azure Storage) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3734: Configure Managed Identities (Azure Storage) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3735: Configure Service Native Backup Capability (Azure Storage) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3736: Configure Azure Private Link (Azure Storage) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3737: Configure Azure Resource Logs (Azure Storage) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3738: Configure Sensitive Data Discovery and Classification (Azure Storage) [Added]
- P1807: Unidentified and unprotected sensitive data (Cloud) [Added]
T3739: Configure Service Principals (Azure Storage) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3740: Configure Microsoft Defender for Cloud - Adaptive Application Controls (Azure Managed Applications) [Added]
- P1819: Uncontrolled execution of unauthorized software (Cloud) [Added]
T3741: Configure Service Credential and Secrets Support Integration and Storage in Azure Key Vault (Azure Managed Applications) [Added]
- P1797: Unsecured storage of credentials and secrets (Cloud) [Added]
T3742: Configure Anti-Malware Solution (Azure Managed Applications) [Added]
- P1842: Outdated malware protection mechanisms (Cloud) [Added]
T3743: Configure Anti-Malware Solution Health Monitoring (Azure Managed Applications) [Added]
- P1843: Outdated anti-malware signatures (Cloud) [Added]
T3744: Configure Azure Automation State Configuration (Azure Managed Applications) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3745: Configure Azure Automation Update Management (Azure Managed Applications) [Added]
- P1839: Unpatched vulnerabilities in cloud resources (Cloud) [Added]
T3746: Configure Azure Backup (Azure Managed Applications) [Added]
- P1844: Inadequate data backup practices (Cloud) [Added]
T3747: Configure Azure Policy Guest Configuration Agent (Azure Managed Applications) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3748: Configure Azure Policy Support (Azure Managed Applications) [Added]
- P1816: Uncontrolled cloud service provisioning (Cloud) [Added]
T3749: Configure Certificate Management in Azure Key Vault (Azure Managed Applications) [Added]
- P1813: Inadequate certificate management (Cloud) [Added]
T3750: Configure Conditional Access for Data Plane (Azure Managed Applications) [Added]
- P1796: Insufficient resource access control (Cloud) [Added]
T3751: Configure Custom Containers Images (Azure Managed Applications) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3752: Configure Custom VM Images (Azure Managed Applications) [Added]
- P1836: Inadequate compute resource configuration (Cloud) [Added]
T3753: Configure Data at Rest Encryption Using CMK (Azure Managed Applications) [Added]
- P1811: Unsecured data at rest encryption keys (Cloud) [Added]
T3754: Configure Data Leakage/Loss Prevention (Azure Managed Applications) [Added]
- P1808: Unmonitored sensitive data transfers (Cloud) [Added]
T3755: Configure Disable Public Network Access (Azure Managed Applications) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3756: Configure EDR Solution (Azure Managed Applications) [Added]
- P1841: Unmonitored endpoint activity (Cloud) [Added]
T3757: Configure Key Management in Azure Key Vault (Azure Managed Applications) [Added]
- P1812: Unsecured cryptographic key management (Cloud) [Added]
T3758: Configure Local Authentication Methods for Data Plane Access (Azure Managed Applications) [Added]
- P1790: Decentralized identity management (Cloud) [Added]
T3759: Configure Managed Identities (Azure Managed Applications) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3760: Configure Network Security Group Support (Azure Managed Applications) [Added]
- P1780: Insufficient network segmentation (Cloud) [Added]
T3761: Configure Azure Private Link (Azure Managed Applications) [Added]
- P1781: Unsecured cloud service access (Cloud) [Added]
T3762: Configure Azure Resource Logs (Azure Managed Applications) [Added]
- P1823: Insufficient network logging (Cloud) [Added]
T3763: Configure Sensitive Data Discovery and Classification (Azure Managed Applications) [Added]
- P1807: Unidentified and unprotected sensitive data (Cloud) [Added]
T3764: Configure Service Principals (Azure Managed Applications) [Added]
- P1792: Unsecured application identities (Cloud) [Added]
T3765: Configure Vulnerability Assessment using Microsoft Defender (Azure Managed Applications) [Added]
- P1838: Lack of vulnerability assessments (Cloud) [Added]
T3766: Use SecureString for sensitive values in Parameter Store (AWS Systems Manager) [Added]
- P1866: Sensitive parameter data stored in plaintext (AWS Systems Manager) [Added]
T3767: Encrypt all data in S3 buckets (AWS Systems Manager) [Added]
- P1867: Sensitive data stored in plaintext (AWS Systems Manager) [Added]
T3768: Give the least privilege access to users (AWS Systems Manager) [Added]
- P1868: Excessive user permissions (AWS Systems Manager) [Added]
T3769: Set parameter constraints in an SSM document (AWS Systems Manager) [Added]
- P1869: Allowing invalid or dangerous values in an SSM document (AWS Systems Manager) [Added]
T3770: Block public sharing of SSM documents (AWS Systems Manager) [Added]
- P1870: Leaking information about system configuration (AWS Systems Manager) [Added]
T3771: Keep components up to date (AWS Systems Manager) [Added]
- P1871: Out-of-date components (AWS Systems Manager) [Added]
T3772: Restrict Session Manager commands with an SSM document (AWS Systems Manager) [Added]
- P1872: Poor session management (AWS Systems Manager) [Added]
T3773: Monitor sessions in Session Manager (AWS Systems Manager) [Added]
- P1873: Suspicious session activity (AWS Systems Manager) [Added]
T3774: Test the use of SecureString for sensitive values in Parameter Store (AWS Systems Manager) [Added]
- P1866: Sensitive parameter data stored in plaintext (AWS Systems Manager) [Added]
T3775: Test data ecnryption in S3 buckets (AWS Systems Manager) [Added]
- P1867: Sensitive data stored in plaintext (AWS Systems Manager) [Added]
T3776: Test least privilege access to users (AWS Systems Manager) [Added]
- P1868: Excessive user permissions (AWS Systems Manager) [Added]
T3777: Verify parameter constraints in an SSM document (AWS Systems Manager) [Added]
- P1869: Allowing invalid or dangerous values in an SSM document (AWS Systems Manager) [Added]
T3778: Verify public sharing of SSM documents (AWS Systems Manager) [Added]
- P1870: Leaking information about system configuration (AWS Systems Manager) [Added]
T3779: Verify components are up to date (AWS Systems Manager) [Added]
- P1871: Out-of-date components (AWS Systems Manager) [Added]
T3780: Verify the restriction of Session Manager commands with an SSM document (AWS Systems Manager) [Added]
- P1872: Poor session management (AWS Systems Manager) [Added]
T3781: Verify session monitoring in Session Manager (AWS Systems Manager) [Added]
- P1873: Suspicious session activity (AWS Systems Manager) [Added]
T3782: Replace sensitive values with dynamic references (AWS CloudFormation) [Added]
- P1874: Hard-coded secrets in templates (AWS CloudFormation) [Added]
T3783: Set parameter constraints (AWS CloudFormation) [Added]
- P1875: Allowing invalid or dangerous values (AWS CloudFormation) [Added]
T3784: Store templates in a version control system (AWS CloudFormation) [Added]
- P1876: Lack of change tracking (AWS CloudFormation) [Added]
T3785: Use a service role to implement least-privilege access (AWS CloudFormation) [Added]
- P1877: Overly broad user permissions (AWS CloudFormation) [Added]
T3786: Assign a stack policy to protect resources (AWS CloudFormation) [Added]
- P1878: Stack resources can be accidentally updated or removed (AWS CloudFormation) [Added]
T3787: Ensure CloudFormation events are logged (AWS CloudFormation) [Added]
- P1879: Failing to monitor for security incidents and errors (AWS CloudFormation) [Added]
T3788: Verify sensitive values replacement with dynamic references (AWS CloudFormation) [Added]
- P1874: Hard-coded secrets in templates (AWS CloudFormation) [Added]
T3789: Verify parameter constraints (AWS CloudFormation) [Added]
- P1875: Allowing invalid or dangerous values (AWS CloudFormation) [Added]
T3790: Verify template storage in a version control system (AWS CloudFormation) [Added]
- P1876: Lack of change tracking (AWS CloudFormation) [Added]
T3791: Verify the use of a service role to implement least-privilege access (AWS CloudFormation) [Added]
- P1877: Overly broad user permissions (AWS CloudFormation) [Added]
T3792: Verify resource protection by stack policies [Added]
- P1878: Stack resources can be accidentally updated or removed (AWS CloudFormation) [Added]
T3793: Verify logs of CloudFormation events (AWS CloudFormation) [Added]
- P1879: Failing to monitor for security incidents and errors (AWS CloudFormation) [Added]
T3794: Protect against leaking secrets in a shell window (AWS Secrets Manager) [Added]
- P1880: Secret leaking from the shell command history (AWS Secrets Manager) [Added]
T3795: Set a rotation schedule for secrets (AWS Secrets Manager) [Added]
- P1881: Compromised secrets (AWS Secrets Manager) [Added]
T3796: Use appropriate naming and documentation for secrets (AWS Secrets Manager) [Added]
- P1882: Poor secret management (AWS Secrets Manager) [Added]
T3797: Use CloudTrail to audit secrets (AWS Secrets Manager) [Added]
- P1883: Failing to monitor secret usage (AWS Secrets Manager) [Added]
T3798: Use a VPC endpoint to communicate (AWS Secrets Manager) [Added]
- P1884: Communication over the public internet (AWS Secrets Manager) [Added]
T3799: Verify secret leaking in a shell window (AWS Secrets Manager) [Added]
- P1880: Secret leaking from the shell command history (AWS Secrets Manager) [Added]
T3800: Test secret rotation schedule (AWS Secrets Manager) [Added]
- P1881: Compromised secrets (AWS Secrets Manager) [Added]
T3801: Verify naming and documentation for secrets (AWS Secrets Manager) [Added]
- P1882: Poor secret management (AWS Secrets Manager) [Added]
T3802: Verify secret audit (AWS Secrets Manager) [Added]
- P1883: Failing to monitor secret usage (AWS Secrets Manager) [Added]
T3803: Test VPC endpoint communication (AWS Secrets Manager) [Added]
- P1884: Communication over the public internet (AWS Secrets Manager) [Added]
T3804: Ensure state machines have the correct permissions (AWS Step Functions) [Added]
- P1885: Excessive or insufficient permissions (AWS Step Functions) [Added]
T3805: Choose an appropriate logging level for state machines (AWS Step Functions) [Added]
- P1886: Failure to monitor events for errors and security incidents (AWS Step Functions) [Added]
T3806: Verify permissions for state machines (AWS Step Functions) [Added]
- P1885: Excessive or insufficient permissions (AWS Step Functions) [Added]
T3807: Verify logging level for state machines (AWS Step Functions) [Added]
- P1886: Failure to monitor events for errors and security incidents (AWS Step Functions) [Added]
T3808: Do not use wildcard domain names in certificates (AWS Certificate Manager) [Added]
- P1887: Single-point of failure and vulnerability to ALPACA exploits (AWS Certificate Manager) [Added]
T3809: Monitor non-AWS certificates for expiry (AWS Certificate Manager) [Added]
- P1888: Interruption in availability due to expired certificates (AWS Certificate Manager) [Added]
T3810: Do not use certificate pinning (AWS Certificate Manager) [Added]
- P1889: Obsolete and less-secure protocol (AWS Certificate Manager) [Added]
T3811: Verify the use of wildcard domain names in certificates (AWS Certificate Manager) [Added]
- P1887: Single-point of failure and vulnerability to ALPACA exploits (AWS Certificate Manager) [Added]
T3812: Verify that non-AWS certificates are monitored for expiry (AWS Certificate Manager) [Added]
- P1888: Interruption in availability due to expired certificates (AWS Certificate Manager) [Added]
T3813: Verify the use of certificate pinning (AWS Certificate Manager) [Added]
- P1889: Obsolete and less-secure protocol (AWS Certificate Manager) [Added]
T3814: Follow standard domain security practices (AWS Route53) [Added]
- P1890: Unprotected domain records (AWS Route53) [Added]
T3815: Consider supporting DNSSEC signing with your domains (AWS Route53) [Added]
- P1891: Vulnerability to domain spoofing (AWS Route53) [Added]
T3816: Test standard domain security practices (AWS Route53) [Added]
- P1890: Unprotected domain records (AWS Route53) [Added]
T3817: Verify the support of DNSSEC signing with your domains (AWS Route53) [Added]
- P1891: Vulnerability to domain spoofing (AWS Route53) [Added]
T3818: Incorporate regular scanning to detect ECR image vulnerabilities (AWS Elastic Container Registry) [Added]
- P1892: Undetected vulnerabilities in images (AWS Elastic Container Registry) [Added]
T3819: Do not allow public access to ECR images (AWS Elastic Container Registry) [Added]
- P1893: Information leaks through public images (AWS Elastic Container Registry) [Added]
T3820: Consider using a customer-managed key for ECR encryption (AWS Elastic Container Registry) [Added]
- P1894: Lack of control over encryption (AWS Elastic Container Registry) [Added]
T3821: Verify ECR image vulnerability detection (AWS Elastic Container Registry) [Added]
- P1892: Undetected vulnerabilities in images (AWS Elastic Container Registry) [Added]
T3822: Verify public access to ECR images (AWS Elastic Container Registry) [Added]
- P1893: Information leaks through public images (AWS Elastic Container Registry) [Added]
T3823: Verify customer-managed keys for ECR encryption (AWS Elastic Container Registry) [Added]
- P1894: Lack of control over encryption (AWS Elastic Container Registry) [Added]
T3824: Enable encryption at rest (AWS Elastic File System) [Added]
- P1895: Plaintext storage of data (AWS Elastic File System) [Added]
T3825: Consider using a customer-managed key for encryption (AWS Elastic File System) [Added]
- P1896: Lack of control over encryption (AWS Elastic File System) [Added]
T3826: Mount volumes with TLS enabled (AWS Elastic File System) [Added]
- P1897: Failure to provide encryption for data in transit (AWS Elastic File System) [Added]
T3827: Enable and configure automatic backups (AWS Elastic File System) [Added]
- P1898: Failure to safeguard data against failures and error (AWS Elastic File System) [Added]
T3828: Use access points to segregate application access with shared data sets (AWS Elastic File System) [Added]
- P1899: Excessive application permissions for file access (AWS Elastic File System) [Added]
T3829: Verify encryption at rest (AWS Elastic File System) [Added]
- P1895: Plaintext storage of data (AWS Elastic File System) [Added]
T3830: Verify customer-managed key for encryption (AWS Elastic File System) [Added]
- P1896: Lack of control over encryption (AWS Elastic File System) [Added]
T3831: Verify mounted volumes security (AWS Elastic File System) [Added]
- P1897: Failure to provide encryption for data in transit (AWS Elastic File System) [Added]
T3832: Verify automatic backups configuration (AWS Elastic File System) [Added]
- P1898: Failure to safeguard data against failures and error (AWS Elastic File System) [Added]
T3833: Verify access points segregation to access shared data sets (AWS Elastic File System) [Added]
- P1899: Excessive application permissions for file access (AWS Elastic File System) [Added]
T3834: Enable DKIM to prevent email spoofing (AWS Simple Email Service) [Added]
- P1900: Potential use of email domains in spam, spoofing, and phishing attacks (AWS Simple Email Service) [Added]
T3835: Delete personal data when no longer in use (AWS Simple Email Service) [Added]
- P1901: Potential disclosure of PII (AWS Simple Email Service) [Added]
T3836: Restrict permissions with IAM conditions (AWS Simple Email Service) [Added]
- P1902: Insufficient restrictions on email identities (AWS Simple Email Service) [Added]
T3837: Review sending authorization policies to prevent unauthorized delegate senders (AWS Simple Email Service) [Added]
- P1903: Unintended cross-account use of email identities (AWS Simple Email Service) [Added]
T3838: Monitor sending activity (AWS Simple Email Service) [Added]
- P1904: Undetected email delivery issues (AWS Simple Email Service) [Added]
T3839: Use VPC endpoints to keep SMTP traffic off of the public internet (AWS Simple Email Service) [Added]
- P1905: Exposed service communication with public endpoints (AWS Simple Email Service) [Added]
T3840: Test email spoofing prevention (AWS Simple Email Service) [Added]
- P1900: Potential use of email domains in spam, spoofing, and phishing attacks (AWS Simple Email Service) [Added]
T3841: Verify unused personal data (AWS Simple Email Service) [Added]
- P1901: Potential disclosure of PII (AWS Simple Email Service) [Added]
T3842: Verify permissions restricted with IAM conditions (AWS Simple Email Service) [Added]
- P1902: Insufficient restrictions on email identities (AWS Simple Email Service) [Added]
T3843: Verify sending authorization policies (AWS Simple Email Service) [Added]
- P1903: Unintended cross-account use of email identities (AWS Simple Email Service) [Added]
T3844: Verify sending activity monitoring (AWS Simple Email Service) [Added]
- P1904: Undetected email delivery issues (AWS Simple Email Service) [Added]
T3845: Verify VPC endpoints (AWS Simple Email Service) [Added]
- P1905: Exposed service communication with public endpoints (AWS Simple Email Service) [Added]
T3846: Do not create FTP-enabled servers (AWS Transfer Family) [Added]
- P1906: Unencrypted network connection (AWS Transfer Family) [Added]
T3847: Use the strongest supported security policy for SFTP/FTPS encryption (AWS Transfer Family) [Added]
- P1907: Potentially weak encryption (AWS Transfer Family) [Added]
T3848: Grant permissions to users with managed policies (AWS Transfer Family) [Added]
- P1908: Mismatched permissions (AWS Transfer Family) [Added]
T3849: Verify FTP-enabled servers (AWS Transfer Family) [Added]
- P1906: Unencrypted network connection (AWS Transfer Family) [Added]
T3850: Verify security policy for SFTP/FTPS encryption (AWS Transfer Family) [Added]
- P1907: Potentially weak encryption (AWS Transfer Family) [Added]
T3851: Verify user permissions (AWS Transfer Family) [Added]
- P1908: Mismatched permissions (AWS Transfer Family) [Added]
T3852: Encrypt clusters when storing sensitive data (AWS RedShift) [Added]
- P1909: Unencrypted data at rest (AWS RedShift) [Added]
T3853: Require TLS to encrypt data in transit (AWS RedShift) [Added]
- P1910: Failure to provide encryption for data in transit (AWS RedShift) [Added]
T3854: Do not use default names for a database or the admin account (AWS RedShift) [Added]
- P1911: Using the default database name and admin account name (AWS RedShift) [Added]
T3855: Ensure clusters are not publicly accessible (AWS RedShift) [Added]
- P1912: Publicly accessible clusters (AWS RedShift) [Added]
T3856: Enable audit logging for databases (AWS RedShift) [Added]
- P1913: Failure to monitor database activity (AWS RedShift) [Added]
T3857: Use managed IAM policies to grant permissions to users (AWS RedShift) [Added]
- P1914: Excessive permissions (AWS RedShift) [Added]
T3858: Use an automated backup schedule with databases (AWS RedShift) [Added]
- P1915: Failure to safeguard against data loss (AWS RedShift) [Added]
T3859: Verify cluster encryption (AWS RedShift) [Added]
- P1909: Unencrypted data at rest (AWS RedShift) [Added]
T3860: Verify data in transit encryption(AWS RedShift) [Added]
- P1910: Failure to provide encryption for data in transit (AWS RedShift) [Added]
T3861: Verify names for database and admin account (AWS RedShift) [Added]
- P1911: Using the default database name and admin account name (AWS RedShift) [Added]
T3862: Verify cluster accessibility (AWS RedShift) [Added]
- P1912: Publicly accessible clusters (AWS RedShift) [Added]
T3863: Verify audit logging for databases (AWS RedShift) [Added]
- P1913: Failure to monitor database activity (AWS RedShift) [Added]
T3864: Verify users' IAM policies (AWS RedShift) [Added]
- P1914: Excessive permissions (AWS RedShift) [Added]
T3865: Verify automated backup schedule (AWS RedShift) [Added]
- P1915: Failure to safeguard against data loss (AWS RedShift) [Added]
T3866: Do not use publicly accessible MQ brokers (AWS MQ) [Added]
- P1916: Publicly accessible brokers (AWS MQ) [Added]
T3867: Block unnecessary protocols (AWS MQ) [Added]
- P1917: Unnecessary features that create a larger attack surface (AWS MQ) [Added]
T3868: Keep MQ current with automatic updates (AWS MQ) [Added]
- P1918: Out-of-date software (AWS MQ) [Added]
T3869: Ensure activity is logged (AWS MQ) [Added]
- P1919: Failure to store a log of MQ events (AWS MQ) [Added]
T3870: Verify MQ brokers accessibility(AWS MQ) [Added]
- P1916: Publicly accessible brokers (AWS MQ) [Added]
T3871: Verify protocols (AWS MQ) [Added]
- P1917: Unnecessary features that create a larger attack surface (AWS MQ) [Added]
T3872: Verify MQ automatic updates (AWS MQ) [Added]
- P1918: Out-of-date software (AWS MQ) [Added]
T3873: Verify activity logging (AWS MQ) [Added]
- P1919: Failure to store a log of MQ events (AWS MQ) [Added]
T3874: Enable at-rest encryption (AWS OpenSearch Service) [Added]
- P1920: Sensitive information stored in plaintext (AWS OpenSearch Service) [Added]
T3875: Enable node-to-node encryption (AWS OpenSearch Service) [Added]
- P1921: Failure to provide encryption for data in transit (AWS OpenSearch Service) [Added]
T3876: Do not expose a public endpoint to domains (AWS OpenSearch Service) [Added]
- P1922: Exposed services with public endpoints (AWS OpenSearch Service) [Added]
T3877: Restrict domains to known IP addresses (AWS OpenSearch Service) [Added]
- P1923: Overly accessible OpenSearch domains (AWS OpenSearch Service) [Added]
T3878: Enable audit logging with fine-grained access controls (AWS OpenSearch Service) [Added]
- P1924: Failure to monitor events for errors and security incidents (AWS OpenSearch Service) [Added]
T3879: Verify at-rest encryption (AWS OpenSearch Service) [Added]
- P1920: Sensitive information stored in plaintext (AWS OpenSearch Service) [Added]
T3880: Verify node-to-node encryption (AWS OpenSearch Service) [Added]
- P1921: Failure to provide encryption for data in transit (AWS OpenSearch Service) [Added]
T3881: Verify public endpoint to domain exposure (AWS OpenSearch Service) [Added]
- P1922: Exposed services with public endpoints (AWS OpenSearch Service) [Added]
T3882: Verify domain restrictions (AWS OpenSearch Service) [Added]
- P1923: Overly accessible OpenSearch domains (AWS OpenSearch Service) [Added]
T3883: Verify audit logging and access controls (AWS OpenSearch Service) [Added]
- P1924: Failure to monitor events for errors and security incidents (AWS OpenSearch Service) [Added]
T3884: Ensure provisioned clusters are not publicly accessible (AWS MSK) [Added]
- P1925: Publicly accessible clusters (AWS MSK) [Added]
T3885: Enable logs for provisioned clusters (AWS MSK) [Added]
- P1926: Failure to monitor cluster activity (AWS MSK) [Added]
T3886: Consider placing ZooKeper nodes in a separate security group (AWS MSK) [Added]
- P1927: Overly permissive network access policy (AWS MSK) [Added]
T3887: Verify provisioned clusters accessibility (AWS MSK) [Added]
- P1925: Publicly accessible clusters (AWS MSK) [Added]
T3888: Verify logs for provisioned clusters (AWS MSK) [Added]
- P1926: Failure to monitor cluster activity (AWS MSK) [Added]
T3889: Verify groups of ZooKeper nodes (AWS MSK) [Added]
- P1927: Overly permissive network access policy (AWS MSK) [Added]
T3890: Enable at-rest encryption for Redis clusters (AWS ElastiCache) [Added]
- P1928: Plaintext storage of data (AWS ElastiCache) [Added]
T3891: Enable in-transit encryption for Redis clusters (AWS ElastiCache) [Added]
- P1929: Unencrypted transmission of data and lack of authentication (AWS ElastiCache) [Added]
T3892: Enable Redis failover support for clusters that require high availability (AWS ElastiCache) [Added]
- P1930: Lack of fault tolerance (AWS ElastiCache) [Added]
T3893: Ensure you are using secure configuration defaults when creating a new ElastiCache cluster (AWS ElastiCache) [Added]
- P1931: Poor configuration leading to reduced availability and exposure to known vulnerabilities (AWS ElastiCache) [Added]
T3894: Monitor authentication metrics for Redis clusters (AWS ElastiCache) [Added]
- P1932: Failure to monitor for security incidents (AWS ElastiCache) [Added]
T3895: Verify at-rest encryption for Redis clusters is enabled (AWS ElastiCache) [Added]
- P1928: Plaintext storage of data (AWS ElastiCache) [Added]
T3896: Verify in-transit encryption for Redis clusters is enabled (AWS ElastiCache) [Added]
- P1929: Unencrypted transmission of data and lack of authentication (AWS ElastiCache) [Added]
T3897: Verify Redis failover support for clusters that require high availability is enabled (AWS ElastiCache) [Added]
- P1930: Lack of fault tolerance (AWS ElastiCache) [Added]
T3898: Verify secure configuration defaults are set for ElastiCache clusters (AWS ElastiCache) [Added]
- P1931: Poor configuration leading to reduced availability and exposure to known vulnerabilities (AWS ElastiCache) [Added]
T3899: Verify authentication metrics for Redis clusters are monitored (AWS ElastiCache) [Added]
- P1932: Failure to monitor for security incidents (AWS ElastiCache) [Added]
T3900: Implement and use code change management strategy (GitHub) [Added]
- P1933: Inadequate code governance and security (GitHub) [Added]
- TA6555: Ensure any changes to code are tracked in a version control platform [Added]
- TA6556: Ensure any change to code can be traced back to its associated task [Added]
- TA6557: Ensure any change to code receives approval of two strongly authenticated users [Added]
- TA6558: Ensure previous approvals are dismissed when updates are introduced to a code change proposal [Added]
- TA6559: Ensure there are restrictions on who can dismiss code change reviews [Added]
- TA6560: Ensure code owners are set for extra sensitive code or configuration [Added]
- TA6561: Ensure code owner's review is required when a change affects owned code [Added]
- TA6562: Ensure inactive branches are periodically reviewed and removed [Added]
- TA6563: Ensure all checks have passed before merging new code [Added]
- TA6564: Ensure open Git branches are up to date before they can be merged into code base [Added]
- TA6565: Ensure branch protection rules are enforced for administrators [Added]
- TA6566: Ensure force push code to branches is denied [Added]
- TA6567: Ensure branch deletions are denied [Added]
- TA6568: Ensure any merging of code is automatically scanned for risks [Added]
- TA6569: Ensure any changes to branch protection rules are audited [Added]
- TA6570: Ensure branch protection is enforced on the default branch [Added]
- TA6646: Ensure all open comments are resolved before allowing code change merging [Added]
- TA6647: Ensure verification of signed commits for new changes before merging [Added]
- TA6648: Ensure linear history is required [Added]
- TA6649: Ensure pushing or merging of new code is restricted to specific individuals or teams [Added]
T3901: Enforce repository management and security strategies (GitHub) [Added]
- P1934: Insufficient repository management and security (GitHub) [Added]
- TA6571: Ensure all public repositories contain a SECURITY.md file [Added]
- TA6572: Ensure repository creation is limited to specific members [Added]
- TA6573: Ensure repository deletion is limited to specific users [Added]
- TA6574: Ensure issue deletion is limited to specific users [Added]
- TA6575: Ensure all copies (forks) of code are tracked and accounted for [Added]
- TA6576: Ensure all code projects are tracked for changes in visibility status [Added]
- TA6577: Ensure inactive repositories are reviewed and archived periodically [Added]
T3902: Ensure regular review and inactive users removal (GitHub) [Added]
- P1935: Insufficient organizational and access controls (GitHub) [Added]
- TA6578: Ensure team creation is limited to specific members [Added]
- TA6579: Ensure minimum number of administrators are set for the organization [Added]
- TA6580: Ensure strict base permissions are set for repositories [Added]
- TA6581: Ensure anomalous code behavior is tracked [Added]
- TA6650: Ensure inactive users are reviewed and removed periodically [Added]
- TA6651: Ensure Multi-Factor Authentication (MFA) is required for contributors of new code [Added]
- TA6652: Ensure the organization is requiring members to use Multi-Factor Authentication (MFA) [Added]
- TA6653: Ensure new members are required to be invited using company-approved email [Added]
- TA6654: Ensure two administrators are set for each repository [Added]
- TA6655: Ensure an organization’s identity is confirmed with a “Verified” badge [Added]
- TA6656: Ensure Source Code Management (SCM) email notifications are restricted to verified domains [Added]
- TA6657: Ensure an organization provides SSH certificates [Added]
- TA6658: Ensure Git access is limited based on IP addresses [Added]
T3903: Implement application and webhook security strategies (GitHub) [Added]
- P1936: Insufficient application and integration management (GitHub) [Added]
- TA6582: Ensure administrator approval is required for every installed application [Added]
- TA6583: Ensure stale applications are reviewed and inactive ones are removed [Added]
- TA6584: Ensure the access granted to each installed application is limited to the least privilege needed [Added]
- TA6585: Ensure only secured webhooks are used [Added]
T3904: Implement comprehensive scanning and security measures (GitHub) [Added]
- P1937: Inadequate automated security scanning (GitHub) [Added]
- TA6659: Ensure scanners are in place to identify and prevent sensitive data in code [Added]
- TA6660: Ensure scanners are in place to secure Continuous Integration (CI) pipeline instructions [Added]
- TA6661: Ensure scanners are in place to secure Infrastructure as Code (IaC) instructions [Added]
- TA6662: Ensure scanners are in place for code vulnerabilities [Added]
- TA6663: Ensure scanners are in place for open-source vulnerabilities in used packages [Added]
- TA6664: Ensure scanners are in place for open-source license issues in used packages [Added]
T3905: Ensure pipeline efficiency and security (GitHub) [Added]
- P1938: Insufficient build environment security and management (GitHub) [Added]
- TA6586: Ensure all aspects of the pipeline infrastructure and configuration are immutable [Added]
- TA6587: Ensure the build environment is logged [Added]
- TA6588: Ensure the creation of the build environment is automated [Added]
- TA6589: Ensure access to build environments is limited [Added]
- TA6590: Ensure users must authenticate to access the build environment [Added]
- TA6591: Ensure the build infrastructure is automatically scanned for vulnerabilities [Added]
- TA6592: Ensure default passwords are not used [Added]
- TA6593: Ensure webhooks of the build environment are secured [Added]
- TA6594: Ensure minimum number of administrators are set for the build environment [Added]
- TA6665: Ensure each pipeline has a single responsibility [Added]
- TA6666: Ensure build secrets are limited to the minimal necessary scope [Added]
T3906: Implement secure build worker management (GitHub) [Added]
- P1939: Insufficient build worker security and management (GitHub) [Added]
- TA6595: Ensure build workers are single-used [Added]
- TA6596: Ensure build worker environments and commands are passed and not pulled [Added]
- TA6597: Ensure the duties of each build worker are segregated [Added]
- TA6598: Ensure build workers have minimal network connectivity [Added]
- TA6599: Ensure run-time security is enforced for build workers [Added]
- TA6600: Ensure build workers are automatically scanned for vulnerabilities [Added]
- TA6601: Ensure build workers' deployment configuration is stored in a version control platform [Added]
- TA6602: Ensure resource consumption of build workers is monitored [Added]
T3907: Ensure pipeline definition and security (GitHub) [Added]
- P1940: Inadequate pipeline security and configuration management (GitHub) [Added]
- TA6603: Ensure all build steps are defined as code [Added]
- TA6604: Ensure steps have clearly defined build stage input and output [Added]
- TA6605: Ensure output is written to a separate, secured storage repository [Added]
- TA6606: Ensure changes to pipeline files are tracked and reviewed [Added]
- TA6607: Ensure access to build process triggering is minimized [Added]
- TA6608: Ensure pipelines are automatically scanned for misconfigurations [Added]
- TA6609: Ensure pipelines are automatically scanned for vulnerabilities [Added]
- TA6667: Ensure scanners are in place to identify and prevent sensitive data in pipeline files [Added]
T3908: Enforce artifact signing (GitHub) [Added]
- P1941: Insufficient artifact and dependency security (GitHub) [Added]
- TA6610: Ensure all artifacts on all releases are signed [Added]
- TA6611: Ensure all external dependencies used in the build process are locked [Added]
- TA6612: Ensure dependencies are validated before being used [Added]
- TA6613: Ensure the build pipeline creates reproducible artifacts [Added]
- TA6614: Ensure pipeline steps produce a Software Bill of Materials (SBOM) [Added]
- TA6615: Ensure pipeline steps sign the Software Bill of Materials (SBOM) produced [Added]
- TA6668: Ensure all artifacts on all releases are signed (level 2) [Added]
T3909: Ensure third-party artifact security (GitHub) [Added]
- P1942: Insufficient third-party and open-source security (GitHub) [Added]
- TA6616: Ensure third-party artifacts and open-source libraries are verified [Added]
- TA6617: Ensure Software Bill of Materials (SBOM) is required from all third-party suppliers [Added]
- TA6618: Ensure signed metadata of the build process is required and verified [Added]
- TA6619: Ensure dependencies are monitored between open-source components [Added]
- TA6620: Ensure trusted package managers and repositories are defined and prioritized [Added]
- TA6621: Ensure a signed Software Bill of Materials (SBOM) of the code is supplied [Added]
- TA6622: Ensure dependencies are pinned to a specific, verified version [Added]
- TA6669: Ensure all packages used are more than 60 days old [Added]
T3910: Implement dependency management strategy (GitHub) [Added]
- P1943: Inadequate dependency management and security (GitHub) [Added]
- TA6623: Ensure an organization-wide dependency usage policy is enforced [Added]
- TA6624: Ensure packages are automatically scanned for known vulnerabilities [Added]
- TA6625: Ensure packages are automatically scanned for license implications [Added]
- TA6626: Ensure packages are automatically scanned for ownership change [Added]
T3911: Ensure distributed artifact security (GitHub) [Added]
- P1944: Insufficient artifact security and distribution control (GitHub) [Added]
- TA6670: Ensure all artifacts are signed by the build pipeline itself [Added]
- TA6671: Ensure artifacts are encrypted before distribution [Added]
- TA6672: Ensure only authorized platforms have decryption capabilities of artifacts [Added]
T3912: Enforce artifact certification and uploading rules (GitHub) [Added]
- P1945: Insufficient control and security of package registry (GitHub) [Added]
- TA6627: Ensure the authority to certify artifacts is limited [Added]
- TA6628: Ensure number of permitted users who may upload new artifacts is minimized [Added]
- TA6629: Ensure user management of the package registry is not local [Added]
- TA6630: Ensure anonymous access to artifacts is revoked [Added]
- TA6631: Ensure minimum number of administrators are set for the package registry [Added]
- TA6673: Ensure user access to the package registry utilizes Multi-Factor Authentication (MFA) [Added]
T3913: Implement package registry security (GitHub) [Added]
- P1946: Inadequate package registry validation and security (GitHub) [Added]
- TA6632: Ensure all signed artifacts are validated upon uploading the package registry [Added]
- TA6633: Ensure all versions of an existing artifact have their signatures validated [Added]
- TA6634: Ensure changes in package registry configuration are audited [Added]
- TA6635: Ensure webhooks of the repository are secured [Added]
T3914: Implement artifact origin information policy (GitHub) [Added]
- P1947: Lack of artifact origin information (GitHub) [Added]
- TA6636: Ensure artifacts contain information about their origin [Added]
T3915: Enforce separation of deployment configuration files (GitHub) [Added]
- P1948: Inadequate deployment configuration management and security (GitHub) [Added]
- TA6637: Ensure changes in deployment configuration are audited [Added]
- TA6638: Ensure scanners are in place to identify and prevent sensitive data in deployment configuration [Added]
- TA6639: Limit access to deployment configurations [Added]
- TA6640: Ensure deployment configuration manifests are verified [Added]
- TA6641: Ensure deployment configuration manifests are pinned to a specific, verified version [Added]
- TA6674: Ensure deployment configuration files are separated from source code [Added]
- TA6675: Scan Infrastructure as Code (IaC) [Added]
T3916: Ensure automated and secure deployment (GitHub) [Added]
- P1949: Insecure and uncontrolled deployment practices (GitHub) [Added]
- TA6642: Ensure deployments are automated [Added]
- TA6643: Ensure the deployment environment is reproducible [Added]
- TA6644: Ensure access to production environment is limited [Added]
- TA6645: Ensure default passwords are not used [Added]
T3917: Test code change management strategies (GitHub) [Added]
- P1933: Inadequate code governance and security (GitHub) [Added]
- TA6676: Test code tracking in a version control platform [Added]
- TA6677: Test traceability of code changes to their associated tasks [Added]
- TA6678: Test approval process for code changes by two strongly authenticated users [Added]
- TA6679: Test dismissal of previous approvals when updates are introduced to a code change proposal [Added]
- TA6680: Test restrictions on who can dismiss code change reviews [Added]
- TA6681: Test code owner settings for extra sensitive code or configuration [Added]
- TA6682: Test requirement of code owner's review when a change affects owned code [Added]
- TA6683: Test periodic review and removal of inactive branches [Added]
- TA6684: Test passing of all checks before merging new code [Added]
- TA6685: Test updating of open Git branches before merging into the code base [Added]
- TA6686: Test branch protection rules enforcement for administrators [Added]
- TA6687: Test denial of force push code to branches [Added]
- TA6688: Test denial of branch deletions [Added]
- TA6689: Test automatic scanning for risks when merging code [Added]
- TA6690: Test auditing of changes to branch protection rules [Added]
- TA6691: Test enforcement of branch protection on the default branch [Added]
- TA6767: Test resolution of all open comments before allowing code change merging [Added]
- TA6768: Test verification of signed commits for new changes before merging [Added]
- TA6769: Test enforcement of linear history [Added]
- TA6770: Test restriction of pushing or merging new code to specific individuals or teams [Added]
T3918: Test repository management and security strategies (GitHub) [Added]
- P1934: Insufficient repository management and security (GitHub) [Added]
- TA6692: Test presence of SECURITY.md file in all public repositories [Added]
- TA6693: Test restriction of repository creation to specific members [Added]
- TA6694: Test restriction of repository deletion to specific users [Added]
- TA6695: Test restriction of issue deletion to specific users [Added]
- TA6696: Test tracking and accounting of all copies (forks) of code [Added]
- TA6697: Test tracking of changes in visibility status for all code projects [Added]
- TA6698: Test periodic review and archiving of inactive repositories [Added]
T3919: Test regular review and inactive users removal (GitHub) [Added]
- P1935: Insufficient organizational and access controls (GitHub) [Added]
- TA6699: Test restriction of team creation to specific members [Added]
- TA6700: Test setting of minimum number of administrators for the organization [Added]
- TA6701: Test enforcement of strict base permissions for repositories [Added]
- TA6702: Test tracking of anomalous code behavior [Added]
- TA6771: Test periodic review and removal of inactive users [Added]
- TA6772: Test requirement of Multi-Factor Authentication (MFA) for contributors of new code [Added]
- TA6773: Test enforcement of Multi-Factor Authentication (MFA) for organization members [Added]
- TA6774: Test requirement of company-approved email for inviting new members [Added]
- TA6775: Test setting of two administrators for each repository [Added]
- TA6776: Test confirmation of an organization’s identity with a “Verified” badge [Added]
- TA6777: Test restriction of Source Code Management (SCM) email notifications to verified domains [Added]
- TA6778: Test provision of SSH certificates by the organization [Added]
- TA6779: Test limitation of Git access based on IP addresses [Added]
T3920: Test application and webhook security strategies (GitHub) [Added]
- P1936: Insufficient application and integration management (GitHub) [Added]
- TA6703: Test requirement of administrator approval for every installed application [Added]
- TA6704: Test periodic review and removal of stale applications [Added]
- TA6705: Test limiting of access granted to each installed application to the least privilege needed [Added]
- TA6706: Test usage of only secured webhooks [Added]
T3921: Test scanning and security measures (GitHub) [Added]
- P1937: Inadequate automated security scanning (GitHub) [Added]
- TA6780: Test presence of scanners to identify and prevent sensitive data in code [Added]
- TA6781: Test presence of scanners to secure Continuous Integration (CI) pipeline instructions [Added]
- TA6782: Test presence of scanners to secure Infrastructure as Code (IaC) instructions [Added]
- TA6783: Test presence of scanners for code vulnerabilities [Added]
- TA6784: Test presence of scanners for open-source vulnerabilities in used packages [Added]
- TA6785: Test presence of scanners for open-source license issues in used packages [Added]
T3922: Test pipeline efficiency and security (GitHub) [Added]
- P1938: Insufficient build environment security and management (GitHub) [Added]
- TA6707: Test immutability of all aspects of the pipeline infrastructure and configuration [Added]
- TA6708: Test logging of the build environment [Added]
- TA6709: Test automation of the build environment creation [Added]
- TA6710: Test limitation of access to build environments [Added]
- TA6711: Test requirement of user authentication to access the build environment [Added]
- TA6712: Test automatic scanning of build infrastructure for vulnerabilities [Added]
- TA6713: Test non-usage of default passwords [Added]
- TA6714: Test securing of webhooks in the build environment [Added]
- TA6715: Test setting of minimum number of administrators for the build environment [Added]
- TA6786: Test ensuring each pipeline has a single responsibility [Added]
- TA6787: Test limiting of build secrets to the minimal necessary scope [Added]
T3923: Test secure build worker management (GitHub) [Added]
- P1939: Insufficient build worker security and management (GitHub) [Added]
- TA6716: Test single-use policy for build workers [Added]
- TA6717: Test passing of build worker environments and commands, not pulling [Added]
- TA6718: Test segregation of duties for each build worker [Added]
- TA6719: Test minimal network connectivity for build workers [Added]
- TA6720: Test enforcement of run-time security for build workers [Added]
- TA6721: Test automatic scanning of build workers for vulnerabilities [Added]
- TA6722: Test storage of build workers' deployment configuration in a version control platform [Added]
- TA6723: Test monitoring of resource consumption by build workers [Added]
T3924: Test pipeline definition and security (GitHub) [Added]
- P1940: Inadequate pipeline security and configuration management (GitHub) [Added]
- TA6724: Test defining of all build steps as code [Added]
- TA6725: Test clearly defined build stage input and output for steps [Added]
- TA6726: Test writing of output to a separate, secured storage repository [Added]
- TA6727: Test tracking and reviewing of changes to pipeline files [Added]
- TA6728: Test minimizing access to build process triggering [Added]
- TA6729: Test automatic scanning of pipelines for misconfigurations [Added]
- TA6730: Test automatic scanning of pipelines for vulnerabilities [Added]
- TA6788: Test presence of scanners to identify and prevent sensitive data in pipeline files [Added]
T3925: Test artifact signing (GitHub) [Added]
- P1941: Insufficient artifact and dependency security (GitHub) [Added]
- TA6731: Test signing of all artifacts on all releases [Added]
- TA6732: Test locking of all external dependencies used in the build process [Added]
- TA6733: Test validation of dependencies before use [Added]
- TA6734: Test creation of reproducible artifacts by the build pipeline [Added]
- TA6735: Test production of a Software Bill of Materials (SBOM) by pipeline steps [Added]
- TA6736: Test signing of the Software Bill of Materials (SBOM) produced by pipeline steps [Added]
- TA6789: Test signing of all artifacts on all releases (level 2) [Added]
T3926: Test third-party artifact security (GitHub) [Added]
- P1942: Insufficient third-party and open-source security (GitHub) [Added]
- TA6737: Test verification of third-party artifacts and open-source libraries [Added]
- TA6738: Test requirement of a signed Software Bill of Materials (SBOM) from all third-party suppliers [Added]
- TA6739: Test requirement and verification of signed metadata of the build process [Added]
- TA6740: Test monitoring of dependencies between open-source components [Added]
- TA6741: Test defining and prioritizing of trusted package managers and repositories [Added]
- TA6742: Test supplying of a signed Software Bill of Materials (SBOM) of the code [Added]
- TA6743: Test pinning of dependencies to a specific, verified version [Added]
- TA6790: Test ensuring all packages used are more than 60 days old [Added]
T3927: Test dependency management strategy (GitHub) [Added]
- P1943: Inadequate dependency management and security (GitHub) [Added]
- TA6744: Test enforcement of an organization-wide dependency usage policy [Added]
- TA6745: Test automatic scanning of packages for known vulnerabilities [Added]
- TA6746: Test automatic scanning of packages for license implications [Added]
- TA6747: Test automatic scanning of packages for ownership change [Added]
T3928: Test distributed artifact security (GitHub) [Added]
- P1944: Insufficient artifact security and distribution control (GitHub) [Added]
- TA6791: Test signing of all artifacts by the build pipeline itself [Added]
- TA6792: Test encryption of artifacts before distribution [Added]
- TA6793: Test ensuring only authorized platforms have decryption capabilities of artifacts [Added]
T3929: Test artifact certification and uploading rules (GitHub) [Added]
- P1945: Insufficient control and security of package registry (GitHub) [Added]
- TA6748: Test limiting of the authority to certify artifacts [Added]
- TA6749: Test minimizing the number of permitted users who may upload new artifacts [Added]
- TA6750: Test non-local user management of the package registry [Added]
- TA6751: Test revocation of anonymous access to artifacts [Added]
- TA6752: Test setting of minimum number of administrators for the package registry [Added]
- TA6794: Test requirement of Multi-Factor Authentication (MFA) for user access to the package registry [Added]
T3930: Test package registry security (GitHub) [Added]
- P1946: Inadequate package registry validation and security (GitHub) [Added]
- TA6753: Test validation of all signed artifacts upon uploading to the package registry [Added]
- TA6754: Test validation of signatures for all versions of an existing artifact [Added]
- TA6755: Test auditing of changes in package registry configuration [Added]
- TA6756: Test securing of repository webhooks [Added]
T3931: Test artifact origin information policy (GitHub) [Added]
- P1947: Lack of artifact origin information (GitHub) [Added]
- TA6757: Test ensuring artifacts contain information about their origin [Added]
T3932: Test separation of deployment configuration files (GitHub) [Added]
- P1948: Inadequate deployment configuration management and security (GitHub) [Added]
- TA6758: Test auditing of changes in deployment configuration [Added]
- TA6759: Test presence of scanners to identify and prevent sensitive data in deployment configuration [Added]
- TA6760: Test limitation of access to deployment configurations [Added]
- TA6761: Test verification of deployment configuration manifests [Added]
- TA6762: Test pinning of deployment configuration manifests to a specific, verified version [Added]
- TA6795: Test separation of deployment configuration files from source code [Added]
- TA6796: Test scanning of Infrastructure as Code (IaC) [Added]
T3933: Test automated and secure deployment (GitHub) [Added]
- P1949: Insecure and uncontrolled deployment practices (GitHub) [Added]
- TA6763: Test automation of deployments [Added]
- TA6764: Test reproducibility of the deployment environment [Added]
- TA6765: Test limitation of access to the production environment [Added]
- TA6766: Test non-usage of default passwords [Added]
T3934: Implement policies for secure handling of business data [Added]
- P1950: Insecure handling of business data in Amazon business applications [Added]
T3935: Protect sensitive cost and billing data [Added]
- P1951: Exposure of sensitive billing data [Added]
T3936: Isolate application workloads according to security requirements [Added]
- P1952: Insufficient isolation of application workloads [Added]
T3937: Ensure compute services have sufficient resources and are fault tolerant [Added]
- P1953: Denial of service attacks against application workloads [Added]
T3938: Monitor application workloads and patch vulnerabilities [Added]
- P1954: Undetected vulnerabilities in application workloads [Added]
T3939: Deploy and manage application environments through automation [Added]
- P1955: Manual application management processes [Added]
T3940: Use trusted container images [Added]
- P1956: Vulnerable container images [Added]
T3941: Protect images against supply chain attacks [Added]
- P1957: Supply chain attacks that target container images [Added]
T3942: Run containers with a least privilege identity [Added]
- P1958: Containers with excessive privileges [Added]
T3943: Use IAM authentication for databases if supported [Added]
- P1959: Weaknesses in credential management [Added]
T3944: Create dedicated database user accounts with minimum privileges [Added]
- P1960: Excessive permissions for database user accounts [Added]
T3945: Use encryption to protect data at rest [Added]
- P1961: Unencrypted data at rest [Added]
T3946: Schedule regular database backups to protect availability [Added]
- P1962: Failure to safeguard against data loss in cloud database [Added]
T3947: Monitor database activity and consider audit logging [Added]
- P1963: Failure to monitor database activity in AWS databases [Added]
T3948: Use a centralized artifact store to manage dependencies [Added]
- P1964: Vulnerable or malicious application dependencies [Added]
T3949: Deploy software using automated processes [Added]
- P1965: Poor dependency management with manual deployment [Added]
T3950: Integrate application security testing into the CI/CD pipeline [Added]
- P1966: Insufficient controls to detect vulnerable code [Added]
T3951: Give developers least privilege access to the development environment [Added]
- P1967: Excessive permissions in the development environment [Added]
T3952: Log activity in the development environment [Added]
- P1968: Insufficient monitoring of development activity and CI/CD processes [Added]
T3953: Strengthen authentication and verification for WorkSpaces and AppStream clients [Added]
- P1969: Weak client authentication for application streaming [Added]
T3954: Prevent data leakage in WorksSpaces and AppStream environments [Added]
- P1970: Data exfiltration in application workspaces [Added]
T3955: Use the AWS Web Application Firewall (WAF) with AWS AppSync and AWS Amplify [Added]
- P1971: Failure to protect against common web attacks [Added]
T3956: Identify authentication requirements for web application clients [Added]
- P1972: Incorrect or insufficient authentication for web APIs or web applications [Added]
T3957: Add only secure hardware to your system [Added]
- P1973: Vulnerable device hardware or software [Added]
T3958: Assign a unique, secure identity to each IoT device using client certificates [Added]
- P1974: Insecure identity management for IoT devices [Added]
T3959: Protect sensitive data on the device [Added]
- P1975: Insecure storage of device data at rest [Added]
T3960: Use AWS IoT Device Defender as part of your IoT logging strategy [Added]
- P1976: Failure to monitor device activity [Added]
T3961: Use network segmentation strategies and a secure method to connect devices to the AWS cloud [Added]
- P1977: Weak network protections for IoT devices [Added]
T3962: Use AWS Organizations to manage multi-account setups [Added]
- P1978: Lack of isolation due to monolithic AWS architecture [Added]
T3963: Use automated processes to keep people away from data [Added]
- P1979: Manual management processes with insufficient security controls [Added]
T3964: Implement an autoscaling infrastructure [Added]
- P1980: Compromised availability due to lack of resources [Added]
T3965: Follow best practices for logging and monitoring [Added]
- P1981: Insecure or insufficient system logging [Added]
T3966: Implement token-based authentication or signed URLs [Added]
- P1982: Insufficient protection for high-value media content [Added]
T3967: Look for logging anomalies and consider watermarking content [Added]
- P1983: Failure to detect unauthorized media access [Added]
T3968: Secure communication from the publisher to your AWS account [Added]
- P1984: Failure to protect the entire content pipeline [Added]
T3969: Defend media workloads against denial of service attacks [Added]
- P1985: Denial of service attacks against streaming services [Added]
T3970: Follow the assess, mobilize, migrate pattern [Added]
- P1986: Lack of migration planning [Added]
T3971: Understand how discovery tools use data and ensure it is handled securely. [Added]
- P1987: Excessive permissions for discovery tools [Added]
T3972: Begin migrations by establishing a landing zone [Added]
- P1988: Incomplete or insecure deployment [Added]
T3973: Protect migration data with validation and a secure connection method [Added]
- P1989: Failure to safeguard data during migration [Added]
T3974: Vet data and monitor models according to best practices [Added]
- P1990: Data poisoning attacks [Added]
T3975: Vet training data sets for sensitive data and sanitize them [Added]
- P1991: Exposure of sensitive or confidential data [Added]
T3976: Isolate ML workloads [Added]
- P1992: Unecessary exposure of ML environments [Added]
T3977: Limit access to ML artifacts [Added]
- P1993: Insufficient protection for ML artifacts [Added]
T3978: Review the AWS Responsible AI Policy and ensure your application is in compliance [Added]
- P1994: Failure to meet the AWS Responsible AI Policy requirements [Added]
T3979: Segment your network and implement security controls between zones [Added]
- P1995: Insufficient network isolation in an AWS environment [Added]
T3980: Put public endpoints behind a content delivery network, gateway, or load balancer [Added]
- P1996: Failure to protect public endpoints [Added]
T3981: Harden VPCs against denial of service attacks [Added]
- P1997: Denial of service attacks against networks and public endpoints [Added]
T3982: Implement best practices for hybrid networks [Added]
- P1998: Weak security controls for hybrid networks [Added]
T3983: Follow best practices for key management and monitoring [Added]
- P1999: Insecure key management in AWS [Added]
T3984: Ensure security events trigger notifications and responses [Added]
- P2000: Insufficient monitoring of security events [Added]
T3985: Conduct regular security audits [Added]
- P2001: Failing to follow business security policy [Added]
T3986: Consider attribute-based access control (ABAC) for authorization at scale [Added]
- P2002: Inflexible IAM policies for large and dynamic systems [Added]
T3987: Implement access controls based on the sensitivity and criticality of data [Added]
- P2003: Insufficient data access controls [Added]
T3988: Use detective controls and data auditing to detect anomalous activity [Added]
- P2004: Failure to monitor storage access [Added]
T3989: Use policies to enforce automatic encryption [Added]
- P2005: Unencrypted data at rest in cloud storage [Added]
T3990: Schedule regular backups [Added]
- P2006: Failure to safeguard against data loss [Added]
T3991: Anonymize sensitive data so it is not visible in the analytics environment [Added]
- P2007: Insufficient privacy of data in analytics workloads [Added]
T3992: Ensure all types of data are reviewed and classified [Added]
- P2008: Insufficient data classification and data controls [Added]
T3993: Record data classification attributes in your data catalog [Added]
- P2009: Failure to maintain data classification and data controls in different workloads [Added]
T3994: Validate messages for sensitive data and implement masking and redaction [Added]
- P2010: Sensitive data in messaging services [Added]
T3995: Follow a least privilege approach when granting permissions to a service [Added]
- P2011: Overly broad permissions for AWS services [Added]
T3996: Disable public access [Added]
- P2012: Publicly accessible AWS services [Added]
T3997: Protect internal service communication with VPC endpoints [Added]
- P2013: Network eavesdropping or interception attacks in AWS services [Added]
T3998: Protect data in transit using TLS [Added]
- P2014: Unencrypted data in transit in AWS services [Added]
T3999: Protect data at rest with encryption [Added]
- P2015: Unencrypted data at rest in AWS services [Added]
T4000: Consider using customer-managed keys (CMKs) [Added]
- P2016: Lack of control over encryption keys in AWS services [Added]
T4001: Ensure logging features are enabled and configured appropriately [Added]
- P2017: Failure to monitor service activity in AWS services [Added]
T4002: Use conditions to limit policies to specific resources and accounts [Added]
- P2018: Confused deputy attacks in AWS services [Added]
T4003: Implement strict key processes for storing, handling, and using blockchain keys [Added]
- P2019: Insecure key management in AWS blockchain services [Added]
T4004: Use established patterns to hide private data and link it to blockchain transactions [Added]
- P2020: Disclosure of private business data [Added]
T4005: Have a plan for modifying smart contracts or mitigating newly discovered vulnerabilities [Added]
- P2021: Smart contract vulnerabilities [Added]
T4006: Follow security best practices when utilizing AI tools for code generation [Added]
- P2022: Insecure coding and hallucinations [Added]
T4007: Follow security best practices when utilizing AI tools for code documentation [Added]
- P2022: Insecure coding and hallucinations [Added]
T4008: Use a Human-in-the-Loop approach when utilizing AI tools [Added]
- P2023: Lack of expert oversight on AI-generated code [Added]
T4009: Do not use AI systems for prohibited practices [Added]
- P2024: Lack of complience with EU AI Act [Added]
T4010: Determine the risk level of your AI systems [Added]
- P2024: Lack of complience with EU AI Act [Added]
T4011: Implement transparency for end users of General Purpose AI systems [Added]
- P2025: Lack of transparency and accountability in AI systems [Added]
T4012: Implement requirments for your low risk AI systems [Added]
- P2025: Lack of transparency and accountability in AI systems [Added]
T4013: Establish a risk management system for high-risk AI systems [Added]
T4014: Ensure data integrity and governance for high-risk AI systems [Added]
T4015: Provide comprehensive technical documentation for high-risk AI systems [Added]
- P2025: Lack of transparency and accountability in AI systems [Added]
T4016: Implement robust record-keeping (logging) for high-risk AI systems [Added]
T4017: Ensure human oversight for high-risk AI systems [Added]
- P2026: Insufficient human oversight [Added]
T4018: Ensure transparency with deployers for high-risk AI systems [Added]
- P2025: Lack of transparency and accountability in AI systems [Added]
T4019: Implement transparency with users of high-risk AI systems [Added]
- P2025: Lack of transparency and accountability in AI systems [Added]
T4020: Ensure accuracy, robustness, and cybersecurity of high-risk AI systems [Added]
T4021: Establish a comprehensive quality management system (QMS) for high-risk AI systems [Added]
- P2027: Inadequate quality management of high-risk AI systems [Added]
T4022: Acquire a conformity certificate for high-risk AI systems via Comformity Assessment [Added]
- P2028: Insufficient validation of high-risk AI systems before market placement [Added]
T4023: Register high-risk AI systems and provide CE markings [Added]
- P2029: Lack of compliance and traceability for high-risk AI systems [Added]
T4024: Ensure the responsible and compliant use of high-risk AI systems by deployers [Added]
- P2030: Inadequate implementation and monitoring of high-risk AI systems by deployers [Added]
T4025: Provide Fundamental Rights Impact Assessment before deploying a high-risk AI system [Added]
- P2028: Insufficient validation of high-risk AI systems before market placement [Added]
T4026: Technical documentation for general-purpose AI models [Added]
- P2025: Lack of transparency and accountability in AI systems [Added]
T4027: Implement protocols and ensure compliance for General-Purpose AI models with systemic risk [Added]
- P2031: Inadequate managment of systemic risks associated with GPAI models [Added]
T4028: Appoint an authorized EU representative for general-purpose AI models (Non-EU providers) [Added]
- P2032: Lack of accountability for non-EU providers of AI models in the EU market [Added]
T4029: Establish post-market monitoring for high-risk AI systems [Added]
- P2033: Lack of post-market monitoring of AI systems [Added]
T4030: Adjust reporting policy/incident response plan for serious incidents involving high-risk AI systems [Added]
- P2034: Insufficient reporting and response to serious incidents [Added]
T4031: Consider using customer-managed encryption keys (CMKs) (AWS Bedrock) [Added]
- P2035: Lack of control with service-managed encryption keys (AWS Bedrock) [Added]
T4032: Prevent App Mesh nodes from forwarding external traffic (AWS App Mesh) [Added]
- P2036: Exposure to external (public) traffic (AWS App Mesh) [Added]
T4033: Require TLS for all App Mesh virtual gateways (AWS App Mesh) [Added]
- P2037: Unencrypted communication to mesh gateways (AWS App Mesh) [Added]
T4034: Regularly check that you are using the latest Envoy image (AWS App Mesh) [Added]
- P2038: Using an old version of the Envoy proxy (AWS App Mesh) [Added]
T4035: Use vault lock policies to prevent archive deletions (AWS S3 Glacier) [Added]
- P2039: Vault changes could violate compliance requirements (AWS S3 Glacier) [Added]
T4036: Always use certificate verification during uploads (AWS S3 Glacier) [Added]
- P2040: Uploading archives without certificate validation (AWS S3 Glacier) [Added]
T4037: Use CloudTrail to monitor Glacier vaults (AWS S3 Glacier) [Added]
- P2041: Failure to monitor vault activity (AWS S3 Glacier) [Added]
T4038: Enable encryption or configure a security policy for ETL jobs (AWS Glue) [Added]
- P2042: Unencrypted destination and temporary data (AWS Glue) [Added]
T4039: Enable encryption for the Data Catalog (AWS Glue) [Added]
- P2043: Unencrypted data in the Data Catalog (AWS Glue) [Added]
T4040: Create a limited service role for AWS Glue jobs and tasks (AWS Glue) [Added]
- P2044: Excessive permissions for the AWS Glue service (AWS Glue) [Added]
T4041: Consider using a customer managed key for encryption (AWS Glue) [Added]
- P2045: Lack of control over encryption keys (AWS Glue) [Added]
T4042: Use encrypted data stores with Lake Formation services (AWS Lake Formation) [Added]
- P2046: Unencrypted data at rest (AWS Lake Formation) [Added]
T4043: Enforce fine-grained access control (AWS Lake Formation) [Added]
- P2047: Incorrect configuration of Lake Formation permissions (AWS Lake Formation) [Added]
T4044: Grant minimum access to tables, columns, and rows (AWS Lake Formation) [Added]
- P2048: Excessive permissions for Lake Formation data access (AWS Lake Formation) [Added]
T4045: Use managed identities and follow a least privilege approach to granting permissions [Added]
- P2049: Overly broad permissions for a service [Added]
T4046: Disable public access and configure service endpoints [Added]
- P2050: Publicly accessible services [Added]
T4047: Protect internal service communication with Private Link [Added]
- P2051: Network eavesdropping or interception attacks [Added]
T4048: Protect data in transit using TLS [Added]
- P2052: Unencrypted data in transit in Azure [Added]
T4049: Protect data at rest with encryption [Added]
- P2053: Unencrypted data at rest in Azure [Added]
T4050: Consider using customer-managed keys (CMKs) [Added]
- P2054: Lack of control over encryption keys in Azure [Added]
T4051: Ensure logging features are enabled and configured appropriately [Added]
- P2055: Failure to monitor service activity in Azure [Added]
T4052: Follow best practices to harden Azure user accounts [Added]
- P2056: Insecure user account management practices in Azure [Added]
T4053: Restrict the use of highly privileged accounts [Added]
- P2057: Performing adminstrative tasks as the global administrator in Azure [Added]
T4054: Segregate Azure resources to limit risk [Added]
- P2058: Insufficient isolation in Azure environments [Added]
T4055: Disable cross-tenant object replication (Azure Blob Storage) [Added]
- P2059: Allowing cross-tenant object replication (Azure Blob Storage) [Added]
T4056: Enable point-in-time restores for containers (Azure Blob Storage) [Added]
- P2060: Insufficient protection against data loss or corruption (Azure Blob Storage) [Added]
T4057: Use best practices to limit security risks of SAS (Azure Blob Storage) [Added]
- P2061: Insecure use of SAS (Shared Access Signatures) (Azure Blob Storage) [Added]
T4058: Limit network access with an IP firewall (Azure Cosmos DB) [Added]
- P2062: Insufficient network-level protection (Azure Cosmos DB) [Added]
T4059: Enforce a minimum TLS version for database communication (Azure Cosmos DB) [Added]
- P2063: Weak encryption for data in transit (Azure Cosmos DB) [Added]
T4060: Create dedicated database user accounts with minimum privileges (Azure Cosmos DB) [Added]
- P2064: Excessive permissions for database access (Azure Cosmos DB) [Added]
T4061: Consider using customer-managed encryption keys (CMKs) (Azure Cosmos DB) [Added]
- P2065: Lack of control with service-managed encryption keys (Azure Cosmos DB) [Added]
T4062: Consider diagnostic settings for audit logging (Azure Cosmos DB) [Added]
- P2066: Failure to monitor database activity (Azure Cosmos DB) [Added]
T4063: Limit network access with firewall settings (Azure Data Factory) [Added]
- P2067: Insufficient network-level protection (Azure Data Factory) [Added]
T4064: Use outbound rules to limit outgoing traffic (Azure Data Factory) [Added]
- P2068: Unrestricted outgoing traffic (Azure Data Factory) [Added]
T4065: Consider using customer-managed encryption keys (CMKs) (Azure Data Factory) [Added]
- P2069: Lack of control with service-managed encryption keys (Azure Data Factory) [Added]
T4066: Store data factory secrets in Key Vault (Azure Data Factory) [Added]
- P2070: Inadequate protection of connection strings and credentials (Azure Data Factory) [Added]
T4067: Use ACLs and follow least privilege guidelines (Azure Data Lake Storage) [Added]
- P2071: Excessive file permissions (Azure Data Lake Storage) [Added]
T4068: Limit network access with firewall settings (Azure Data Lake Storage) [Added]
- P2072: Insufficient network-level protection (Azure Data Lake Storage) [Added]
T4069: Enable Microsoft Defender for storage accounts (Azure Data Lake Storage) [Added]
- P2073: Insufficient protection against exploits that target storage accounts (Azure Data Lake Storage) [Added]
T4070: Enforce TLS for all connections (Azure Data Lake Storage) [Added]
- P2074: Lack of protection for data in transit (Azure Data Lake Storage) [Added]
T4071: Conside using customer-managed encryption keys (CMKs) (Azure Data Lake Storage) [Added]
- P2075: Lack of control with service-managed encryption keys (Azure Data Lake Storage) [Added]
T4072: Enable soft delete features (Azure Data Lake Storage) [Added]
- P2076: Insufficient protection against data deletion (Azure Data Lake Storage) [Added]
T4073: Set retention policies on immutable data (Azure Data Lake Storage) [Added]
- P2077: Failing to prevent changes to data that must be retained in its original form (Azure Data Lake Storage) [Added]
T4074: Enable logging for file storage activity (Azure Data Lake Storage) [Added]
- P2078: Failure to monitor file storage activity (Azure Data Lake Storage) [Added]
T4075: Add a Resource Manager lock for every storage account (Azure Data Lake Storage) [Added]
- P2079: Storage account deletion (Azure Data Lake Storage) [Added]
T4076: Do not allow shared key authentication (Azure Data Lake Storage) [Added]
- P2080: Account keys grant excessive permissions with no security controls (Azure Data Lake Storage) [Added]
T4077: Limit network access with firewall settings (Azure Event Hubs) [Added]
- P2081: Insufficient network-level protection (Azure Event Hubs) [Added]
T4078: Prefer Microsoft Entra to shared access policies for authentication (Azure Event Hubs) [Added]
- P2082: Insecure management of authentication credentials (Azure Event Hubs) [Added]
T4079: Consider using customer-managed encryption keys (CMKs) (Azure Event Hubs) [Added]
- P2083: Lack of control with service-managed encryption keys (Azure Event Hubs) [Added]
T4080: Enforce a minimum TLS version of 1.2 (Azure Event Hubs) [Added]
- P2084: Weak encryption for data in transit (Azure Event Hubs) [Added]
T4081: Add only secure hardware to your system (Azure IoT Hub) [Added]
- P2085: Insecure devices (Azure IoT Hub) [Added]
T4082: Enable Defender for IoT for agentless threat detection (Azure IoT Hub) [Added]
- P2086: Insufficient monitoring and failure to detect security events (Azure IoT Hub) [Added]
T4083: Consider Device Update for IoT Hub (Azure IoT Hub) [Added]
- P2087: Devices with older software or firmware (Azure IoT Hub) [Added]
T4084: Limit network access with firewall settings (Azure IoT Hub) [Added]
- P2088: Insufficient network-level protection (Azure IoT Hub) [Added]
T4085: Prefer Microsoft Entra to shared access policies for authentication (Azure IoT Hub) [Added]
- P2089: Insecure management of authentication credentials (Azure IoT Hub) [Added]
T4086: Give minimum privileges when granting access to IoT Hub (Azure IoT Hub) [Added]
- P2090: Excessive permissions for IoT users (Azure IoT Hub) [Added]
T4087: Authenticate devices with X.509 Certificates (Azure IoT Hub) [Added]
- P2091: Poor credential management for IoT Hub devices (Azure IoT Hub) [Added]
T4088: Consider enforcing a minimum TLS version of 1.2 (Azure IoT Hub) [Added]
- P2092: Weak encryption for data in transit (Azure IoT Hub) [Added]
T4089: Apply for an exemption to abuse monitoring (Azure OpenAI) [Added]
- P2093: Abuse monitoring has access to highly sensitive information (Azure OpenAI) [Added]
T4090: Consider using customer-managed encryption keys (CMKs) (Azure OpenAI) [Added]
- P2094: Lack of control with service-managed encryption keys (Azure OpenAI) [Added]
T4091: Review the Responsible AI guidance and ensure your application is in compliance (Azure OpenAI) [Added]
- P2095: Failure to meet the Responsible AI requirements (Azure OpenAI) [Added]
T4092: Follow best practices for service account identities [Added]
- P2096: Insecure service identities in Google Cloud Platform (GCP) [Added]
T4093: Follow a least privilege approach when granting service permissions [Added]
- P2097: Overly broad permissions for a service in Google Cloud Platform (GCP) [Added]
T4094: Disable public access and use private connect [Added]
- P2098: Publicly accessible services in Google Cloud Platform (GCP) [Added]
T4095: Consider using customer-managed keys (CMEKs) [Added]
- P2099: Lack of control over encryption keys in Google Cloud Platform (GCP) [Added]
T4096: Ensure logging features are enabled and configured appropriately [Added]
- P2100: Failure to monitor service activity in Google Cloud Platform (GCP) [Added]
T4097: Follow best practices to harden GCP user accounts [Added]
- P2101: Insecure user account management practices in Google Cloud Platform (GCP) [Added]
T4098: Restrict the use of highly privileged accounts [Added]
- P2102: Performing adminstrative tasks as a super administrator in Google Cloud Platform (GCP) [Added]
T4099: Segregate GCP resources to limit risk [Added]
- P2103: Insufficient isolation in GCP environments in Google Cloud Platform (GCP) [Added]
T4100: Limit user permissions that can allow privilege escalation [Added]
- P2104: Privilege-escalation attacks with service accounts in Google Cloud Platform (GCP) [Added]
T4101: Use LDAPS or another encrypted protocol [Added]
- P2105: Unencrypted communication between clients and directory servers [Added]
T4102: Identify threats with active monitoring and pen testing [Added]
- P2106: LDAP reconnaissance [Added]
T4103: Implement secure password policies and MFA [Added]
- P2107: Weak password policies and authentication practices [Added]
T4104: Follow a least privilege approach when granting permissions [Added]
- P2108: Excessive user privileges [Added]
T4105: Sanitize input or use parameterized LDAP queries [Added]
- P2109: LDAP injection [Added]
T4106: Use network and OS controls to isolate directory servers [Added]
- P2110: Insufficient isolation of directory servers [Added]
T4107: Harden the backup process and limit human access [Added]
- P2111: Insecure replication or backup practices [Added]
T4108: Keep directory servers up to date [Added]
- P2112: Out-of-date software on the directory server [Added]
T4109: Use DNSSEC to sign DNS records [Added]
- P2113: DNS spoofing and cache poisoning [Added]
T4110: Implement in-transit encryption with DoT or DoH [Added]
- P2114: Lack of in-transit encryption for DNS queries [Added]
T4111: Implement DoS protections [Added]
- P2115: DNS denial of service attacks [Added]
T4112: Restrict zone transfers to authorized DNS servers [Added]
- P2116: Information exposure due to unauthorized zone transfers [Added]
T4113: Use strict access controls for administration in DNS servers [Added]
- P2117: Insecure management interfaces in DNS [Added]
T4114: Monitor DNS server activity [Added]
- P2118: Failure to monitor DNS server activity [Added]
T4115: Keep DNS servers up to date [Added]
- P2119: Out-of-date DNS server software [Added]
T4116: Deploy firewalls at the network perimeter and between zones [Added]
- P2120: Improper firewall placement [Added]
T4117: Follow best practices when writing and ordering firewall rules [Added]
- P2121: Disorganized firewall rules [Added]
T4118: Implement a logging strategy that satisfies both security and performance requirements [Added]
- P2122: Excessive or inadequate logging in firewall [Added]
T4119: Use strict access controls for administration in firewalls [Added]
- P2123: Insecure management interfaces in firewall [Added]
T4120: Keep firewall software and firmware up to date [Added]
- P2124: Out-of-date firewall software or hardware [Added]
T4121: Back up firewall configuration [Added]
- P2125: Failure to back up firewall configuration [Added]
T4122: Configure firewall failover and redundancy [Added]
- P2126: Failure to design for high availability firewall [Added]
T4123: Support the FTPS or SFTP protocol [Added]
- P2127: Unencrypted data in transit in FTP [Added]
T4124: Isolate the FTP server in a DMZ [Added]
- P2128: Improper network placement of the FTP server [Added]
T4125: Prefer client certificates and strong authentication practices [Added]
- P2129: Weak authentication practices for FTP clients [Added]
T4126: Enforce user-specific FTP file storage [Added]
- P2130: Insufficient isolation of FTP file storage [Added]
T4127: Filter uploads and ensure files are handled safely [Added]
- P2131: Malicious file uploads [Added]
T4128: Use strict access controls for administration in FTP servers [Added]
- P2132: Insecure management interfaces in FTP server [Added]
T4129: Monitor FTP server activity [Added]
- P2133: Failure to monitor FTP server activity [Added]
T4130: Keep FTP servers up to date [Added]
- P2134: Out-of-date FTP server software [Added]
T4131: Tune IDS/IPS rules to mitigate false positives [Added]
- P2135: Excessive IDS/IPS false positives [Added]
T4132: Tune for efficiency based on risk analysis [Added]
- P2136: Poor IDS/IPS performance or high resource consumption [Added]
T4133: Monitor alerts and take manual or automatic actions in response [Added]
- P2137: Failure to monitor security events [Added]
T4134: Use strict access controls for administration in IDS/IPS systems [Added]
- P2138: Insecure management interfaces in IPS/IDS [Added]
T4135: Keep IDS/IPS up to date [Added]
- P2139: Out-of-date detection rules or software [Added]
T4136: Harden the session persistence cookie [Added]
- P2140: Attacks against the session persistence cookie [Added]
T4137: Configure end-to-end TLS encryption [Added]
- P2141: Unencrypted data on internal networks [Added]
T4138: Use a web application firewall or other network protections [Added]
- P2142: Denial of service attacks against load balancers [Added]
T4139: Use strict access controls for administration in load balancers [Added]
- P2143: Inadequate security for management interfaces [Added]
T4140: Keep load balancers up to date [Added]
- P2144: Out-of-date load balancer software or hardware [Added]
T4141: Configure load balancer failover and redundancy [Added]
- P2145: Failure to design for high availability load balancer [Added]
T4142: Protect message traffic with TLS and consider end-to-end message encryption [Added]
- P2146: Unencrypted message data [Added]
T4143: Use message signing and integrity checks [Added]
- P2147: Message tampering in message broker [Added]
T4144: Use data integrity and privacy controls [Added]
- P2148: Sensitive or malicious data in messages [Added]
T4145: Require client authentication and implement least privilege permissions [Added]
- P2149: Weak authentication or excessive privileges for message clients [Added]
T4146: Implement defenses against denial of service attacks [Added]
- P2150: Denial of service attacks against message brokers [Added]
T4147: Use strict access controls for administration [Added]
- P2151: Insecure management interfaces in message broker [Added]
T4148: Monitor message broker activity [Added]
- P2152: Failure to monitor message broker activity [Added]
T4149: Back up message brokers [Added]
- P2153: Failure to back up message brokers [Added]
T4150: Only connect to FTP servers using FTPS or SFTP [Added]
- P2154: Connecting over unencrypted FTP [Added]
T4151: Choose secure FTP client software and install updates promptly [Added]
- P2155: Insecure FTP client software [Added]
T4152: Secure the configuration of the client [Added]
- P2156: Insecure configuration of VPN client software or devices [Added]
T4153: Use network segmentation to separate proxy servers from other resources [Added]
- P2157: Incorrect placement of a proxy server [Added]
T4154: Use strict access controls for administration [Added]
- P2158: Insecure management interfaces in proxy server [Added]
T4155: Use content filtering to block malicious sites [Added]
- P2159: Lack of content filtering [Added]
T4156: Document any case of proxy server bypass [Added]
- P2160: Undocumented proxy server bypass rules [Added]
T4157: Monitor proxy server traffic [Added]
- P2161: Failure to monitor proxy server activity [Added]
T4158: Keep proxy servers up to date [Added]
- P2162: Out-of-date proxy server software [Added]
T4159: Place routers in a secure location [Added]
- P2163: Routers in an insecure location device access [Added]
T4160: Authenticate devices with 802.1X or another secure protocol [Added]
- P2164: Unauthorized device access [Added]
T4161: Disable unnecessary services [Added]
- P2165: Unused router services [Added]
T4162: Keep router firmware up to date [Added]
- P2166: Unpatched vulnerabilities in router hardware [Added]
T4163: Collect and monitor router traffic logs [Added]
- P2167: Failure to monitor network traffic [Added]
T4164: Configure port filtering [Added]
- P2168: Overly permissive port access [Added]
T4165: Protect message traffic with TLS encryption [Added]
- P2169: Unencrypted message data in transit in Service Bus [Added]
T4166: Use validation and integrity checks [Added]
- P2170: Message tampering in service bus [Added]
T4167: Apply consistent security policy to all services in a service bus [Added]
- P2171: Inconsistent application of security measures across different services [Added]
T4168: Require client authentication and implement least privilege permissions [Added]
- P2172: Weak authentication for message producers [Added]
T4169: Implement defenses against denial of service attacks [Added]
- P2173: Vulnerability to denial of service attacks and failure [Added]
T4170: Use strict access controls for administration [Added]
- P2174: Insecure management interfaces in service bus [Added]
T4171: Monitor service bus activity [Added]
- P2175: Failure to monitor service bus activity [Added]
T4172: Choose a secure VPN protocol [Added]
- P2176: Insecure or noncompliant VPN protocols [Added]
T4173: Prefer client certificates and MFA for authentication [Added]
- P2177: Weak authentication for VPN clients [Added]
T4174: Monitor VPN activity [Added]
- P2178: Failure to monitor VPN traffic and events [Added]
T4175: Use strict access controls for administration [Added]
- P2179: Insecure management interfaces in VPN server [Added]
T4176: Keep VPN servers up to date [Added]
- P2180: Out-of-date VPN server software [Added]
T4177: Use end-to-end encryption in addition to 3G network encryption [Added]
- P2181: Insufficient encryption over a 3G network [Added]
T4178: Consider using a private APN [Added]
- P2182: Insufficient segregation of cell network traffic in 3G network [Added]
T4179: Restrict the use of legacy protocols and monitor device connections [Added]
- P2183: Fake base station attacks in 3G network [Added]
T4180: Harden cell network hardware and monitor performance [Added]
- P2184: Denial of service attacks against a 3G network [Added]
T4181: Restrict physical access to devices, and prefer eSIMs [Added]
- P2185: SIM cloning attacks in 3G network [Added]
T4182: Use end-to-end encryption in addition to LTE network encryption [Added]
- P2186: Insufficient encryption over an LTE network [Added]
T4183: Consider using a private APN [Added]
- P2187: Insufficient segregation of cell network traffic in LTE network [Added]
T4184: Restrict the use of legacy protocols and monitor device connections [Added]
- P2188: Fake base station attacks in LTE network [Added]
T4185: Harden cell network hardware and monitor performance [Added]
- P2189: Denial of service attacks against an LTE network [Added]
T4186: Restrict physical access to devices, and prefer eSIMs [Added]
- P2190: SIM cloning attacks in LTE network [Added]
T4187: Use end-to-end encryption in addition to 5G network encryption [Added]
- P2191: Insufficient encryption over a 5G network [Added]
T4188: Consider using network slicing or a private APN [Added]
- P2192: Insufficient segregation of cell network traffic in 5G network [Added]
T4189: Restrict the use of legacy protocols and monitor device connections [Added]
- P2193: Fake base station attacks in 5G network [Added]
T4190: Harden cell network hardware and monitor performance [Added]
- P2194: Denial of service attacks against a 5G network [Added]
T4191: Restrict physical access to devices, and prefer eSIMs [Added]
- P2195: SIM cloning attacks in 5G network [Added]
T4192: Choose devices and infrastructure that supports LoRaWAN 1.1 [Added]
- P2196: Old or insecure LoRa versions [Added]
T4193: Choose EDs with security features and restrict physical access [Added]
- P2197: Device tampering or key extraction [Added]
T4194: Monitor traffic from ED devices [Added]
- P2198: Denial of service attacks using signal jamming [Added]
T4195: Use encrypted communication between network servers and application servers [Added]
- P2199: Insecure data transmission to the application server [Added]
T4196: Separate LoRa devices with network segmentation [Added]
- P2200: Insufficient network isolation of LoRa devices [Added]
T4197: Use Modbus/TCP Security for TLS encryption [Added]
- P2201: Unencrypted data in transit in Modbus [Added]
T4198: Separate ModBus devices with network segmentation [Added]
- P2202: Insufficient network isolation of Modbus devices [Added]
T4199: Use Modbus/TCP Security and monitor with an IDS/IPS [Added]
- P2203: Modbus flooding and denial of service attacks [Added]
T4200: Start a TLS security session before transmitting data over AMQP [Added]
- P2204: Unencrypted data in transit in AMQP [Added]
T4201: Choose a suitable authentication method in SASL [Added]
- P2205: Anonymous access in AMQP [Added]
T4202: Validate messages and install all message broker updates [Added]
- P2206: Deserialization of malicious objects in AMQP [Added]
T4203: Distribute certificates to CDN servers and configure TLS [Added]
- P2207: Unencrypted data in transit in Content Delivery Network (CDN) [Added]
T4204: Enforce access control for protected content [Added]
- P2208: Missing access control for protected content in Content Delivery Network (CDN) [Added]
T4205: Generate consistent cache keys and sanitize all inputs [Added]
- P2209: CDN cache poisoning [Added]
T4206: Deploy a WAF at the CDN edge [Added]
- P2210: Denial of service and other common web attacks in Content Delivery Network (CDN) [Added]
Changes to Project Properties and Profiles
- Q207: Application Layer
  - Q186: Application Layer Protocols Used
    - A1573: File Transfer Protocol (FTP) [Added]
    - A1583: Modbus [Added]
    - A1584: Advanced Message Queuing Protocol (AMQP) [Added]
- Q211: Development Tools
  - Q235: Uses Static or Dynamic Security Code Analysis
    - Q364: Version control platforms [Added]
      - A1390: GitHub [Added]
- Q243: Internal Hidden Properties
  - Q189: Internal Properties (Use this, for all hidden answers)
    - A1484: AWS Business Applications (hidden) [Added]
    - A1485: AWS Cloud Financial Management (hidden) [Added]
    - A1486: AWS Compute Services (hidden) [Added]
    - A1487: AWS Containers (hidden) [Added]
    - A1488: AWS Database (hidden) [Added]
    - A1489: AWS Developer Tools (hidden) [Added]
    - A1490: AWS End User Computing (hidden) [Added]
    - A1491: AWS Front-end Web and Mobile Services (hidden) [Added]
    - A1492: AWS Internet of Things (IoT) (hidden) [Added]
    - A1493: AWS Management and Governance (hidden) [Added]
    - A1494: AWS Media Services (hidden) [Added]
    - A1495: AWS Migration and Transfer (hidden) [Added]
    - A1496: AWS Machine Learning (ML) and Artificial Intelligence (AI) (hidden) [Added]
    - A1497: AWS Networking and Content Delivery (hidden) [Added]
    - A1498: AWS Security, Identity, and Compliance (hidden) [Added]
    - A1499: AWS Storage (hidden) [Added]
    - A1500: AWS Analytics (hidden) [Added]
    - A1501: AWS Application Integration (hidden) [Added]
    - A1502: AWS All Services (hidden) [Added]
    - A1503: AWS Blockchain (hidden) [Added]
    - A1515: Azure AI + Machine Learning (hidden) [Added]
    - A1516: Azure Analytics (hidden) [Added]
    - A1517: Azure Compute (hidden) [Added]
    - A1518: Azure Containers (hidden) [Added]
    - A1519: Azure Databases (hidden) [Added]
    - A1520: Azure Developer tools (hidden) [Added]
    - A1521: Azure DevOps (hidden) [Added]
    - A1522: Azure Hybrid + multicloud (hidden) [Added]
    - A1523: Azure Identity (hidden) [Added]
    - A1524: Azure Integration (hidden) [Added]
    - A1525: Azure Internet of Things (hidden) [Added]
    - A1526: Azure Management and Governance (hidden) [Added]
    - A1527: Azure Media (hidden) [Added]
    - A1528: Azure Migration (hidden) [Added]
    - A1529: Azure Mixed Reality (hidden) [Added]
    - A1530: Azure Mobile (hidden) [Added]
    - A1531: Azure Networking (hidden) [Added]
    - A1532: Azure Security (hidden) [Added]
    - A1533: Azure Storage (hidden) [Added]
    - A1534: Azure Virtual Desktop Infrastructure (hidden) [Added]
    - A1535: Azure Web (hidden) [Added]
    - A1538: Azure All Services (hidden) [Added]
    - A1539: ANSI/ISA 62443-4-1 [Added]
    - A1540: Google Cloud AI and Machine Learning (hidden) [Added]
    - A1541: Google Cloud AI Infrastructure (hidden) [Added]
    - A1542: Google Cloud AI Solutions (hidden) [Added]
    - A1543: Google Cloud Business Intelligence (hidden) [Added]
    - A1544: Google Cloud Compute (hidden) [Added]
    - A1545: Google Cloud Containers (hidden) [Added]
    - A1546: Google Cloud Data Analytics (hidden) [Added]
    - A1547: Google Cloud Databases (hidden) [Added]
    - A1548: Google Cloud Developer Tools (hidden) [Added]
    - A1549: Google Cloud Distributed Cloud (hidden) [Added]
    - A1550: Google Cloud Hybrid and Multicloud (hidden) [Added]
    - A1551: Google Cloud Industry Specific (hidden) [Added]
    - A1552: Google Cloud Integration Services (hidden) [Added]
    - A1553: Google Cloud Management Tools (hidden) [Added]
    - A1554: Google Cloud Maps and Geospatial (hidden) [Added]
    - A1555: Google Cloud Media Services (hidden) [Added]
    - A1556: Google Cloud Migration (hidden) [Added]
    - A1557: Google Cloud Mixed Reality (hidden) [Added]
    - A1558: Google Cloud Networking (hidden) [Added]
    - A1559: Google Cloud Operations (hidden) [Added]
    - A1560: Google Cloud Productivity and Collaboration (hidden) [Added]
    - A1561: Google Cloud Security and Identity (hidden) [Added]
    - A1562: Google Cloud Serverless (hidden) [Added]
    - A1563: Google Cloud Storage (hidden) [Added]
    - A1564: Google Cloud Web3 (hidden) [Added]
    - A1565: Google Cloud All Services (hidden) [Added]
- Q249: Industrial Control Systems
  - Q250: In-Scope for ANSI/ISA 62443 or CSA/SSA-311
    - A1374: ANSI/ISA 62443-4-1 or SDLA 312 [Added]
- Q276: Network Layer
  - Q371: Virtual Private Network (VPN) [Added]
    - A1574: Virtual Private Network (VPN) [Added]
  - Q349: Broadband cellular networks
    - A1344: Long-Term Evolution (LTE) or Fifth-generation (5G) technologies [Removed]
    - A1579: 3G [Added]
    - A1580: 4G/LTE [Added]
    - A1581: 5G [Added]
  - Q339: Wireless Protocols Used
    - A1582: LoRa [Added]
- Q284: Context and Characteristics
  - Q252: Application's Context and Characteristics
    - Q368: Type of AI system [Added]
      - A1506: High Risk [Added]
      - A1507: Limited/ low risk [Added]
      - A1508: General purpose AI models [Added]
      - A1509: General Purpose AI Models with Systemic Risk [Added]
    - Q357: Artificial Intelligence/Machine Learning
      - A1504: LLM-based Code Generation [Added]
      - A1505: EU AI Act [Added]
- Q289: Cloud Computing
  - Q290: Cloud Providers
    - A1159: Amazon Web Services (AWS) Content (Not Story-driven) [Updated]
      - INFO: Updated the children.
    - A1190: Microsoft Azure [Updated]
      - INFO: Updated the children.
    - A1212: Google Cloud Content (Not Story-driven) [Updated]
      - INFO: Updated the children.
- Q299: General
  - Q296: Assurance Level
    - A1161: Include more in-depth controls [Updated]
      - INFO: Updated the description.
- Q304: Database Technologies
  - Q305: Database Management System (DBMS)
    - A1368: InfluxDB [Added]
    - A1369: Neo4j [Added]
    - A1370: MariaDB [Added]
    - A1371: CockroachDB [Added]
    - A1372: Apache Cassandra [Added]
    - A1373: MarkLogic [Added]
- Q361: Amazon Web Services (AWS) [Added]
  - Q366: AWS Cloud Configuration [Added]
    - A1392: AWS Cloud Configuration [Added]
  - Q298: AWS Services [Updated]
    - INFO: Updated the parent.
    - A1165: RDS [Updated]
      - INFO: Updated the description.
    - A1166: EBS [Updated]
      - INFO: Updated the description.
    - A1167: AMI [Updated]
      - INFO: Updated the description.
    - A1168: ELB [Updated]
      - INFO: Updated the description.
    - A1170: IAM [Updated]
      - INFO: Updated the description.
    - A1171: EC2 [Updated]
      - INFO: Updated the description.
    - A1173: SNS [Updated]
      - INFO: Updated the description.
    - A1177: VPC [Updated]
      - INFO: Updated the description.
    - A1178: KMS [Updated]
      - INFO: Updated the description.
    - A1227: SQS [Updated]
      - INFO: Updated the description.
    - A1270: ECS [Updated]
      - INFO: Updated the description.
    - A1271: DynamoDB [Updated]
      - INFO: Updated the description.
    - A1331: EKS [Updated]
      - INFO: Updated the description.
    - A1347: Kinesis Data Streams [Updated]
      - INFO: Updated the description.
    - A1366: SageMaker [Updated]
      - INFO: Updated the description.
    - A1375: Certificate Manager [Added]
    - A1376: CloudFormation [Added]
    - A1377: ECR [Added]
    - A1378: EFS [Added]
    - A1379: ElastiCache [Added]
    - A1380: MSK [Added]
    - A1381: MQ [Added]
    - A1382: OpenSearch [Added]
    - A1383: RedShift [Added]
    - A1384: Secrets Manager [Added]
    - A1385: SES [Added]
    - A1386: Step Functions [Added]
    - A1387: Systems Manager [Added]
    - A1388: Transfer Family [Added]
    - A1510: AWS App Mesh [Added]
    - A1511: AWS Bedrock [Added]
    - A1512: AWS S3 Glacier [Added]
    - A1513: AWS Glue [Added]
    - A1514: AWS Lake Formation [Added]
- Q362: Microsoft Azure [Added]
  - Q365: Azure Cloud Configuration [Added]
    - A1391: Azure Cloud Configuration [Added]
  - Q306: Azure Services [Updated]
    - INFO: Updated the parent.
    - Q370: More Azure Services [Added]
      - A1196: Multi-Factor Authentication [Updated]
        
        INFO: Updated the question.
      - A1198: Virtual Machines [Updated]
        
        INFO: Updated the question.
      - A1199: Security Center [Updated]
        
        INFO: Updated the question.
      - A1200: Storage [Updated]
        
        INFO: Updated the question.
      - A1201: SQL Database [Updated]
        
        INFO: Updated the question.
      - A1202: Virtual Network [Updated]
        
        INFO: Updated the question.
      - A1203: Monitor [Updated]
        
        INFO: Updated the question.
      - A1204: Key Vault [Updated]
        
        INFO: Updated the question.
      - A1205: Network Watcher [Updated]
        
        INFO: Updated the question.
      - A1206: Resource Manager [Updated]
        
        INFO: Updated the question.
      - A1396: Azure Machine Learning [Added]
      - A1397: Azure OpenAI Service [Added]
      - A1402: Azure Stream Analytics [Added]
      - A1403: Azure Synapse Analytics [Added]
      - A1406: Azure Linux Virtual Machines [Added]
      - A1407: Azure Spring Apps [Added]
      - A1408: Azure Virtual Desktop [Added]
      - A1409: Azure Virtual Machine Scale Sets [Added]
      - A1410: Azure VMware Solution [Added]
      - A1411: Azure Windows Virtual Machines [Added]
      - A1415: Azure Red Hat OpenShift [Added]
      - A1421: Azure Managed Instance for Apache Cassandra [Added]
      - A1422: Azure SQL [Added]
      - A1426: Azure Stack Edge [Added]
      - A1430: Azure Logic Apps [Added]
      - A1431: Azure Service Bus [Added]
      - A1432: Azure Web PubSub [Added]
      - A1435: Azure Notification Hubs [Added]
      - A1439: Azure Lighthouse [Added]
      - A1440: Azure Managed Applications [Added]
      - A1441: Azure Policy [Added]
      - A1442: Azure Purview [Added]
      - A1443: Azure Resource Manager templates [Added]
      - A1444: Azure Resource Mover [Added]
      - A1445: Azure Media Services [Added]
      - A1447: Azure Migrate [Added]
      - A1448: Azure Site Recovery [Added]
      - A1450: Azure Remote Rendering [Added]
      - A1451: Azure Spatial Anchors [Added]
      - A1461: Azure Load Balancer [Added]
      - A1462: Azure NAT Gateway [Added]
      - A1463: Azure Network Watcher [Added]
      - A1464: Azure Private Link [Added]
      - A1465: Azure Traffic Manager [Added]
      - A1466: Azure Virtual WAN [Added]
      - A1467: Azure VPN Gateway [Added]
      - A1468: Azure Web Application Firewall [Added]
      - A1469: Azure PostgreSQL Database [Added]
      - A1475: Azure Sentinel [Added]
      - A1480: Azure Managed Lustre [Added]
      - A1481: Azure NetApp Files [Added]
      - A1483: Azure SignalR Service [Added]
    - A1394: Azure AI Bot Service [Added]
    - A1395: Azure Databricks [Added]
    - A1398: Azure Analysis Services [Added]
    - A1399: Azure Data Explorer [Added]
    - A1400: Azure Data Lake Analytics [Added]
    - A1401: Azure Event Hubs [Added]
    - A1404: Azure App Service [Added]
    - A1405: Azure Batch [Added]
    - A1412: Azure Container Apps [Added]
    - A1413: Azure Container Instances [Added]
    - A1414: Azure Container Registry [Added]
    - A1416: Azure Cache for Redis [Added]
    - A1417: Azure Cosmos DB [Added]
    - A1418: Azure Data Factory [Added]
    - A1419: Azure Database for MariaDB [Added]
    - A1420: Azure Database for MySQL [Added]
    - A1423: Azure App Configuration [Added]
    - A1424: Azure DevTest Labs [Added]
    - A1425: Azure Arc [Added]
    - A1427: Azure Active Directory External Identities [Added]
    - A1428: Azure API Management [Added]
    - A1429: Azure Event Grid [Added]
    - A1433: Azure IoT Central [Added]
    - A1434: Azure IoT Hub [Added]
    - A1436: Azure Automation [Added]
    - A1437: Azure Cloud Shell [Added]
    - A1438: Azure Cost Management [Added]
    - A1446: Azure Database Migration Service [Added]
    - A1449: Azure Digital Twins [Added]
    - A1452: Azure Application Gateway [Added]
    - A1453: Azure Bastion [Added]
    - A1454: Azure Communications Gateway [Added]
    - A1455: Azure Content Delivery Network [Added]
    - A1456: Azure DDoS Protection [Added]
    - A1457: Azure DNS [Added]
    - A1458: Azure Firewall [Added]
    - A1459: Azure Firewall Manager [Added]
    - A1460: Azure Front Door [Added]
    - A1470: Azure Attestation [Added]
    - A1471: Azure Dedicated HSM [Added]
    - A1472: Azure Defender for Cloud [Added]
    - A1473: Azure Information Protection [Added]
    - A1474: Azure Key Vault Managed HSM [Added]
    - A1476: Azure Backup [Added]
    - A1477: Azure Data Box [Added]
    - A1478: Azure Data Share [Added]
    - A1479: Azure HPC Cache [Added]
    - A1482: Azure Communication Services [Added]
    - A1536: Azure Blob Storage [Added]
    - A1537: Azure Data Lake Storage [Added]
- Q363: Google Cloud Platform (GCP) [Added]
  - Q367: GCP Cloud Configuration [Added]
    - A1393: GCP Cloud Configuration [Added]
  - Q309: Google Cloud Services [Updated]
    - INFO: Updated the parent.
- Q369: Network Technologies [Added]
  - Q372: Network Components [Added]
    - A1566: Directory Server [Added]
    - A1567: DNS Server [Added]
    - A1568: Firewall [Added]
    - A1569: FTP Server [Added]
    - A1570: IDS/IPS [Added]
    - A1571: Load Balancer [Added]
    - A1572: Message Broker [Added]
    - A1575: Proxy Server [Added]
    - A1576: Router [Added]
    - A1577: Service Bus [Added]
    - A1578: Virtual Private Network (VPN) Server [Added]
    - A1585: Content Delivery Network (CDN) [Added]
Added Components
- SC3: NoSQL Database
- SC5: MongoDB
- SC11: SQLite
- SC102: Azure PostgreSQL Database
- SC104: Apache Cassandra
- SC105: InfluxDB
- SC106: Neo4j
- SC107: MarkLogic
- SC109: CockroachDB
- SC110: MariaDB
- SC111: Cloud Environment
- SC112: AWS Environment
- SC113: Azure Environment
- SC114: GCP Environment
- SC115: AWS Athena
- SC116: AWS Clean Rooms
- SC117: AWS CloudSearch
- SC118: AWS Data Exchange
- SC119: AWS Data Pipeline
- SC120: AWS DataZone
- SC121: AWS EMR
- SC122: AWS Entity Resolution
- SC123: AWS FinSpace
- SC124: AWS Glue
- SC125: AWS Kinesis
- SC126: AWS Kinesis Video Streams
- SC127: AWS Lake Formation
- SC128: AWS Managed Service for Apache Flink
- SC129: AWS Managed Streaming for Apache Kafka (MSK)
- SC130: AWS OpenSearch Serverless
- SC131: AWS OpenSearch Service
- SC132: AWS QuickSight
- SC133: AWS Redshift
- SC134: AWS Redshift Serverless
- SC135: AWS AppFlow
- SC136: AWS B2B Data Interchange
- SC137: AWS EventBridge
- SC138: AWS Managed Workflows for Apache Airflow (MWAA)
- SC139: AWS MQ
- SC140: AWS Simple Workflow Service
- SC141: AWS Step Functions
- SC142: AWS Managed Blockchain
- SC143: AWS Alexa for Business
- SC144: AWS AppFabric
- SC145: AWS Chime
- SC146: AWS Chime SDK
- SC147: AWS Connect
- SC148: AWS Honeycode
- SC149: AWS Pinpoint
- SC150: AWS Simple Email Service (SES)
- SC151: AWS WorkDocs
- SC152: AWS WorkMail
- SC153: AWS Application Cost Profiler
- SC154: AWS Billing Conductor
- SC155: AWS Budgets
- SC156: AWS Cost and Usage Report
- SC157: AWS Cost Explorer
- SC158: AWS Reserved Instance (RI) reporting
- SC159: AWS Savings Plans
- SC160: AWS App Runner
- SC161: AWS Batch
- SC162: AWS Compare AWS compute services
- SC163: AWS EC2 Image Builder
- SC164: AWS Elastic Beanstalk
- SC165: AWS Fargate
- SC166: AWS Lightsail
- SC167: AWS Linux 2023
- SC168: AWS Outposts
- SC169: AWS Serverless Application Repository
- SC170: AWS VMware Cloud on AWS
- SC171: AWS Wavelength
- SC172: AWS App2Container
- SC173: AWS Elastic Container Registry
- SC174: AWS Red Hat OpenShift Service on AWS
- SC175: AWS Managed Services
- SC176: AWS rePost Private
- SC177: AWS DocumentDB (with MongoDB compatibility)
- SC178: AWS ElastiCache
- SC179: AWS Keyspaces (for Apache Cassandra)
- SC180: AWS Lightsail managed databases
- SC181: AWS MemoryDB for Redis
- SC182: AWS Neptune
- SC183: AWS Quantum Ledger Database (Amazon QLDB)
- SC184: AWS RDS for Db2
- SC185: AWS RDS on VMware
- SC186: AWS Timestream
- SC187: AWS Application Composer
- SC188: AWS Cloud9
- SC189: AWS CloudShell
- SC190: AWS CodeArtifact
- SC191: AWS CodeBuild
- SC192: AWS CodeCatalyst
- SC193: AWS CodeCommit
- SC194: AWS CodeDeploy
- SC195: AWS CodePipeline
- SC196: AWS CodeStar
- SC197: AWS Corretto
- SC198: AWS Fault Injection Service
- SC199: AWS X-Ray
- SC200: AWS AppStream 2.0
- SC201: AWS WorkSpaces
- SC202: AWS WorkSpaces Core
- SC203: AWS WorkSpaces Thin Client
- SC204: AWS Workspaces Web
- SC205: AWS Amplify
- SC206: AWS AppSync
- SC207: AWS Device Farm
- SC208: AWS Location Service
- SC209: AWS GameLift
- SC210: AWS FreeRTOS
- SC211: AWS IoT 1-Click
- SC212: AWS IoT Analytics
- SC213: AWS IoT Button
- SC214: AWS IoT Core
- SC215: AWS IoT Device Defender
- SC216: AWS IoT Device Management
- SC217: AWS IoT Events
- SC218: AWS IoT ExpressLink
- SC219: AWS IoT FleetWise
- SC220: AWS IoT Greengrass
- SC221: AWS IoT SiteWise
- SC222: AWS IoT TwinMaker
- SC223: AWS Partner Device Catalog
- SC224: AWS Augmented AI
- SC225: AWS Bedrock
- SC226: AWS CodeGuru
- SC227: AWS CodeWhisperer
- SC228: AWS Comprehend
- SC229: AWS Comprehend Medical
- SC230: AWS DeepComposer
- SC231: AWS DeepLens
- SC232: AWS DeepRacer
- SC233: AWS DevOps Guru
- SC234: AWS Forecast
- SC235: AWS Fraud Detector
- SC236: AWS HealthLake
- SC237: AWS HealthScribe
- SC238: AWS Kendra
- SC239: AWS Lex
- SC240: AWS Lookout for Equipment
- SC241: AWS Lookout for Metrics
- SC242: AWS Lookout for Vision
- SC243: AWS Monitron
- SC244: AWS Panorama
- SC245: AWS PartyRock
- SC246: AWS Personalize
- SC247: AWS Polly
- SC248: AWS Rekognition
- SC249: AWS Textract
- SC250: AWS Transcribe
- SC251: AWS Translate
- SC252: AWS Auto Scaling
- SC253: AWS Chatbot
- SC254: AWS CloudFormation
- SC255: AWS Compute Optimizer
- SC256: AWS Console Mobile Application
- SC257: AWS Control Tower
- SC258: AWS Health Dashboard
- SC259: AWS Launch Wizard
- SC260: AWS License Manager
- SC261: AWS Managed Grafana
- SC262: AWS Managed Service for Prometheus
- SC263: AWS OpsWorks
- SC264: AWS Organizations
- SC265: AWS Proton
- SC266: AWS Service Catalog
- SC267: AWS Systems Manager
- SC268: AWS Trusted Advisor
- SC269: AWS Well-Architected Tool
- SC270: AWS Elastic Transcoder
- SC271: AWS Elemental Appliances and Software
- SC272: AWS Elemental MediaConnect
- SC273: AWS Elemental MediaConvert
- SC274: AWS Elemental MediaLive
- SC275: AWS Elemental MediaPackage
- SC276: AWS Elemental MediaStore
- SC277: AWS Elemental MediaTailor
- SC278: AWS Interactive Video Service
- SC279: AWS Nimble Studio
- SC280: AWS Application Discovery Service
- SC281: AWS Application Migration Service
- SC282: AWS Database Migration Service
- SC283: AWS DataSync
- SC284: AWS Mainframe Modernization Service
- SC285: AWS Migration Hub
- SC286: AWS Snow Family
- SC287: AWS Transfer Family
- SC288: AWS App Mesh
- SC289: AWS Cloud Map
- SC290: AWS Direct Connect
- SC291: AWS Global Accelerator
- SC292: AWS Integrated Private Wireless on AWS
- SC293: AWS Private 5G
- SC294: AWS PrivateLink
- SC295: AWS Transit Gateway
- SC296: AWS Verified Access
- SC297: AWS VPC Lattice
- SC298: AWS VPN
- SC299: AWS Braket
- SC300: AWS RoboMaker
- SC301: AWS Ground Station
- SC302: AWS Artifact
- SC303: AWS Audit Manager
- SC304: AWS Certificate Manager
- SC305: AWS CloudHSM
- SC306: AWS Detective
- SC307: AWS Directory Service
- SC308: AWS Firewall Manager
- SC309: AWS GuardDuty
- SC310: AWS IAM Identity Center
- SC311: AWS Inspector
- SC312: AWS Macie
- SC313: AWS Network Firewall
- SC314: AWS Resource Access Manager
- SC315: AWS Secrets Manager
- SC316: AWS Security Hub
- SC317: AWS Security Lake
- SC318: AWS Shield
- SC319: AWS Verified Permissions
- SC320: AWS WAF Captcha
- SC321: AWS S3 Glacier
- SC322: AWS Backup
- SC323: AWS Elastic Disaster Recovery
- SC324: AWS Elastic File System
- SC325: AWS File Cache
- SC326: AWS FSx for Lustre
- SC327: AWS FSx for NetApp ONTAP
- SC328: AWS FSx for OpenZFS
- SC329: AWS FSx for Windows File Server
- SC330: AWS Storage GatewayAWS
- SC331: Azure AI Anomaly Detector
- SC332: Azure AI Bot Service
- SC333: Azure AI Content Safety
- SC334: Azure AI Custom Vision
- SC335: Azure AI Document Intelligence
- SC336: Azure AI Immersive Reader
- SC337: Azure AI Language
- SC338: Azure AI Metrics Advisor
- SC339: Azure AI Personalizer
- SC340: Azure AI Search
- SC341: Azure AI Services
- SC342: Azure AI Studio
- SC343: Azure AI Translator
- SC344: Azure AI Video Indexer
- SC345: Azure Data Science Virtual Machines
- SC346: Azure Databricks
- SC347: Azure Genomics
- SC348: Azure Health Bot
- SC349: Azure Language Understanding (LUIS)
- SC350: Azure Machine Learning
- SC351: Azure Open Datasets
- SC352: Azure OpenAI Service
- SC353: Azure Operator Call Protection
- SC354: Azure QnA Maker
- SC355: Azure Speaker recognition
- SC356: Azure Speech to text
- SC357: Azure Speech translation
- SC358: Azure Text to speech
- SC359: Azure Analysis Services
- SC360: Azure Chaos Studio
- SC361: Azure Data Catalog
- SC362: Azure Data Explorer
- SC363: Azure Data Lake Analytics
- SC364: Azure Event Hubs
- SC365: Azure Fabric
- SC366: Azure Graph Data Connect
- SC367: Azure HDInsight
- SC368: Azure HDInsight on Azure Kubernetes Service (AKS)
- SC369: Azure Operator Insights
- SC370: Azure Power BI Embedded
- SC371: Azure Stream Analytics
- SC372: Azure Synapse Analytics
- SC373: Azure Batch
- SC374: Azure Cloud Services
- SC375: Azure CycleCloud
- SC376: Azure Dedicated Host
- SC377: Azure Linux Virtual Machines
- SC378: Azure Quantum
- SC379: Azure Service Fabric
- SC380: Azure Spot Virtual Machines
- SC381: Azure Spring Apps
- SC382: Azure Virtual Desktop
- SC383: Azure Virtual Machine Scale Sets
- SC384: Azure VM Image Builder
- SC385: Azure VMware Solution
- SC386: Azure Windows Virtual Machines
- SC387: Azure Container Apps
- SC388: Azure Container Instances
- SC389: Azure Container Registry
- SC390: Azure Container Storage
- SC391: Azure Kubernetes Fleet Manager
- SC392: Azure Red Hat OpenShift
- SC393: Azure Web App for Containers
- SC394: Azure Cache for Redis
- SC395: Azure Cosmos DB
- SC396: Azure Data Factory
- SC397: Azure Database for MariaDB
- SC398: Azure Database for MySQL
- SC399: Azure Managed Instance for Apache Cassandra
- SC400: Azure SQL
- SC401: Azure SQL Edge
- SC402: Azure SQL Managed Instance
- SC403: Azure SQL Server on Azure Virtual Machines
- SC404: Azure Table Storage
- SC405: Azure App Configuration
- SC406: Azure Dev Box
- SC407: Azure DevOps
- SC408: Azure Managed Confidential Consortium Framework (CCF)
- SC409: Azure Playwright Testing
- SC410: Azure SDKs
- SC411: Azure Visual Studio
- SC412: Azure Visual Studio Code
- SC413: Azure Artifacts
- SC414: Azure Boards
- SC415: Azure Deployment Environments
- SC416: Azure DevOps tool integrations
- SC417: Azure DevTest Labs
- SC418: Azure GitHub Advanced Security for Azure DevOps
- SC419: Azure Load Testing
- SC420: Azure Managed Grafana
- SC421: Azure Pipelines
- SC422: Azure Repos
- SC423: Azure Test Plans
- SC424: Azure Arc
- SC425: Azure Kubernetes Service Edge Essentials
- SC426: Azure Modular Datacenter
- SC427: Azure Operator Nexus
- SC428: Azure Operator Service Manager
- SC429: Azure Stack
- SC430: Azure Stack Edge
- SC431: Azure Stack HCI
- SC432: Azure Stack Hub
- SC433: Azure Active Directory External Identities
- SC434: Azure API Management
- SC435: Azure Data Manager for Agriculture
- SC436: Azure Energy Data Services
- SC437: Azure Event Grid
- SC438: Azure Health Data Services
- SC439: Azure Logic Apps
- SC440: Azure Service Bus
- SC441: Azure Web PubSub
- SC442: Azure Defender for IoT
- SC443: Azure IoT Central
- SC444: Azure IoT Edge
- SC445: Azure IoT Hub
- SC446: Azure IoT Operations
- SC447: Azure Notification Hubs
- SC448: Azure RTOS
- SC449: Azure Sphere
- SC450: Azure Time Series Insights
- SC451: Azure Windows 10 IoT Core Services
- SC452: Azure Windows for IoT
- SC453: Azure Advisor
- SC454: Azure Automanage
- SC455: Azure Automation
- SC456: Azure Blueprints
- SC457: Azure Cloud Shell
- SC458: Azure Copilot for Azure
- SC459: Azure Cost Management
- SC460: Azure Lighthouse
- SC461: Azure Managed Applications
- SC462: Azure mobile app
- SC463: Azure Policy
- SC464: Azure portal
- SC465: Azure Purview
- SC466: Azure Resource Manager templates
- SC467: Azure Resource Mover
- SC468: Azure Service Health
- SC469: Azure Update management center
- SC470: Azure Content Protection
- SC471: Azure Encoding
- SC472: Azure Live and On-Demand Streaming
- SC473: Azure Media Player
- SC474: Azure Media Services
- SC475: Azure Database Migration Service
- SC476: Azure Migrate
- SC477: Azure Site Recovery
- SC478: Azure Digital Twins
- SC479: Azure Kinect DK
- SC480: Azure Object Anchors
- SC481: Azure Remote Rendering
- SC482: Azure Spatial Anchors
- SC483: Azure App Center
- SC484: Azure Application Gateway
- SC485: Azure Bastion
- SC486: Azure Communications Gateway
- SC487: Azure Content Delivery Network
- SC488: Azure DDoS Protection
- SC489: Azure DNS
- SC490: Azure ExpressRoute
- SC491: Azure Firewall
- SC492: Azure Firewall Manager
- SC493: Azure Front Door
- SC494: Azure Internet Analyzer
- SC495: Azure Load Balancer
- SC496: Azure NAT Gateway
- SC497: Azure Network Function Manager
- SC498: Azure Network Watcher
- SC499: Azure Operator 5G Core
- SC500: Azure Orbital Ground Station
- SC501: Azure Private 5G Core
- SC502: Azure Private Link
- SC503: Azure Programmable Connectivity
- SC504: Azure Route Server
- SC505: Azure Traffic Manager
- SC506: Azure Virtual Network Manager
- SC507: Azure Virtual WAN
- SC508: Azure VPN Gateway
- SC509: Azure Web Application Firewall
- SC510: Azure Attestation
- SC511: Azure Dedicated HSM
- SC512: Azure Defender External Attack Surface Management
- SC513: Azure Defender for Cloud
- SC514: Azure Entra Domain Services
- SC515: Azure Information Protection
- SC516: Azure Key Vault Managed HSM
- SC517: Azure Sentinel
- SC518: Azure Trusted Hardware Identity Management
- SC519: Azure Archive Storage
- SC520: Azure Avere vFXT for Azure
- SC521: Azure Backup
- SC522: Azure Blob Storage
- SC523: Azure confidential ledger
- SC524: Azure Data Box
- SC525: Azure Data Lake Storage
- SC526: Azure Data Lake Storage Gen1
- SC527: Azure Data Share
- SC528: Azure Disk Storage
- SC529: Azure Elastic SAN
- SC530: Azure Files
- SC531: Azure HPC Cache
- SC532: Azure Managed Lustre
- SC533: Azure NetApp Files
- SC534: Azure Queue Storage
- SC535: Azure Storage Accounts
- SC536: Azure Storage Actions
- SC537: Azure Storage Explorer
- SC538: Azure Lab Services
- SC539: Azure Communication Services
- SC540: Azure Fluid Relay
- SC541: Azure Maps
- SC542: Azure SignalR Service
- SC543: Azure Static Web AppsAzure
- SC544: GCP AutoML
- SC545: GCP Dialogflow
- SC546: GCP Generative AI on Vertex AI
- SC547: GCP Media Translation
- SC548: GCP Natural Language AI
- SC549: GCP Recommendations AI
- SC550: GCP Speech-to-Text
- SC551: GCP Text-to-Speech
- SC552: GCP Translation AI
- SC553: GCP Vertex AI Notebooks
- SC554: GCP Vertex AI Platform
- SC555: GCP Vertex AI Search and Conversation
- SC556: GCP Vertex Explainable AI
- SC557: GCP Video AI
- SC558: GCP Vision AI
- SC559: GCP Cloud GPUs
- SC560: GCP Cloud TPUs
- SC561: GCP Deep Learning Containers
- SC562: GCP Deep Learning VM Image
- SC563: GCP TensorFlow Enterprise
- SC564: GCP Contact Center AI
- SC565: GCP Document AI
- SC566: GCP Intelligent products (Preview)
- SC567: GCP Product Discovery
- SC568: GCP Looker Studio
- SC569: GCP App Engine
- SC570: GCP Bare Metal Solution
- SC571: GCP Batch
- SC572: GCP Recommender
- SC573: GCP Sole-tenant Nodes
- SC574: GCP Spot VMs
- SC575: GCP SQL Server on Google Cloud
- SC576: GCP Tau VM
- SC577: GCP VMware Engine
- SC578: GCP Cloud Run
- SC579: GCP Knative
- SC580: GCP Kubernetes applications on Google Cloud Marketplace
- SC581: GCP Analytics Hub
- SC582: GCP BigLake
- SC583: GCP Data Catalog
- SC584: GCP Dataflow
- SC585: GCP Dataform
- SC586: GCP Dataplex
- SC587: GCP Dataprep
- SC588: GCP Looker
- SC589: GCP Marketing Platform
- SC590: GCP AlloyDB for PostgreSQL
- SC591: GCP Cloud Bigtable
- SC592: GCP Cloud Spanner
- SC593: GCP Datastream
- SC594: GCP Firebase Realtime Database
- SC595: GCP Firestore
- SC596: GCP Memorystore
- SC597: GCP Artifact Registry
- SC598: GCP Assured Open Source Software
- SC599: GCP Cloud Build
- SC600: GCP Cloud Code
- SC601: GCP Cloud Deploy
- SC602: GCP Cloud Deployment Manager
- SC603: GCP Cloud Functions for Firebase
- SC604: GCP Cloud SDK
- SC605: GCP Cloud Source Repositories
- SC606: GCP Cloud Tasks
- SC607: GCP Cloud Workstations
- SC608: GCP Duet AI in Google Cloud (Preview)
- SC609: GCP Firebase Authentication
- SC610: GCP Firebase Crashlytics
- SC611: GCP Firebase Test Lab
- SC612: GCP Gradle App Engine Plugin
- SC613: GCP Infrastructure Manager
- SC614: GCP Maven App Engine Plugin
- SC615: GCP Skaffold
- SC616: GCP Tekton
- SC617: GCP Tools for Eclipse
- SC618: GCP Tools for PowerShell
- SC619: GCP Distributed Cloud Edge
- SC620: GCP Distributed Cloud Hosted
- SC621: GCP Anthos
- SC622: GCP Distributed Cloud Service
- SC623: GCP Anti Money Laundering AI
- SC624: GCP Cloud Healthcare API
- SC625: GCP Device Connect for Fitbit
- SC626: GCP Payment Gateway
- SC627: GCP Spectrum Access System (SAS)
- SC628: GCP Telecom Data Fabric
- SC629: GCP Telecom Network Automation
- SC630: GCP Telecom Subscriber Insights
- SC631: GCP Apigee API Management
- SC632: GCP Application Integration
- SC633: GCP Cloud Composer
- SC634: GCP Cloud Data Fusion
- SC635: GCP Cloud Scheduler
- SC636: GCP Dataproc
- SC637: GCP Eventarc
- SC638: GCP Pub/Sub
- SC639: GCP Workflows
- SC640: GCP Active Assist
- SC641: GCP Carbon Footprint
- SC642: GCP Cloud APIs
- SC643: GCP Cloud Console
- SC644: GCP Cloud Endpoints
- SC645: GCP Cloud Mobile App
- SC646: GCP Cloud Shell
- SC647: GCP Config Connector
- SC648: GCP Config Management
- SC649: GCP Cost Management
- SC650: GCP Deployment Manager
- SC651: GCP Identity and Access Management (IAM)
- SC652: GCP Managed Service for Prometheus
- SC653: GCP Personalized Service Health
- SC654: GCP Service Catalog
- SC655: GCP Service Mesh
- SC656: GCP Terraform on Google Cloud
- SC657: GCP Earth Engine
- SC658: GCP Maps Platform
- SC659: GCP Live Stream API
- SC660: GCP OpenCue
- SC661: GCP Transcoder API
- SC662: GCP Video Stitcher API
- SC663: GCP Application migration
- SC664: GCP BigQuery Data Transfer Service
- SC665: GCP Cloud Foundation Toolkit
- SC666: GCP Database Migration Service
- SC667: GCP Migrate to Containers
- SC668: GCP Migrate to Virtual Machines
- SC669: GCP Migration Center
- SC670: GCP Rapid Assessment & Migration Program (RAMP)
- SC671: GCP Storage Transfer Service
- SC672: GCP Transfer Appliance
- SC673: GCP Immersive Stream for XR
- SC674: GCP Cloud Armor
- SC675: GCP Cloud CDN
- SC676: GCP Cloud Connectivity
- SC677: GCP Cloud Domains
- SC678: GCP Cloud Firewall
- SC679: GCP Cloud IDS
- SC680: GCP Cloud Load Balancing
- SC681: GCP Cloud NAT
- SC682: GCP Network Connectivity Center
- SC683: GCP Network Intelligence Center
- SC684: GCP Network Service Tiers
- SC685: GCP Private Service Connect
- SC686: GCP Service Directory
- SC687: GCP VPC Service Controls
- SC688: GCP Cloud Debugger
- SC689: GCP Cloud Monitoring
- SC690: GCP Cloud Profiler
- SC691: GCP Cloud Trace
- SC692: GCP Error Reporting
- SC693: GCP AppSheet
- SC694: GCP AppSheet Automation
- SC695: GCP Chrome Enterprise
- SC696: GCP Duet AI for Google Workspace
- SC697: GCP Workspace
- SC698: GCP Workspace Essentials
- SC699: GCP Access Transparency
- SC700: GCP Assured Workloads
- SC701: GCP BeyondCorp Enterprise
- SC702: GCP Certificate Authority Service
- SC703: GCP Chronicle SIEM
- SC704: GCP Chronicle SOAR
- SC705: GCP Cloud Asset Inventory
- SC706: GCP Cloud Identity
- SC707: GCP Confidential Computing
- SC708: GCP Identity Platform
- SC709: GCP Identity-Aware Proxy
- SC710: GCP Managed Service for Microsoft Active Directory
- SC711: GCP Mandiant Academy
- SC712: GCP Mandiant Attack Surface Management
- SC713: GCP Mandiant Consulting Services
- SC714: GCP Mandiant Digital Threat Monitoring
- SC715: GCP Mandiant Incident Response Services
- SC716: GCP Mandiant Managed Detection and Response
- SC717: GCP Mandiant Security Validation
- SC718: GCP Mandiant Threat Intelligence
- SC719: GCP Policy Intelligence
- SC720: GCP reCAPTCHA Enterprise
- SC721: GCP Secret Manager
- SC722: GCP Security Command Center
- SC723: GCP Sensitive Data Protection
- SC724: GCP Shielded VMs
- SC725: GCP Software Delivery Shield
- SC726: GCP Titan Security Key
- SC727: GCP Virus Total
- SC728: GCP Web Risk
- SC729: GCP API Gateway
- SC730: GCP Cloud Functions
- SC731: GCP Block storage
- SC732: GCP Cloud Backup and DR
- SC733: GCP Cloud Storage for Firebase
- SC734: GCP Filestore
- SC735: GCP Local SSD
- SC736: GCP NetApp Volumes
- SC737: GCP Parallelstore
- SC738: GCP Persistent Disk
- SC739: GCP Blockchain Node Engine
- SC740: GitHub
- SC741: Azure Service
- SC742: Google Cloud Platform
- SC743: Content Delivery Network
- SC744: Directory Server
- SC745: DNS Server
- SC746: Firewall
- SC747: FTP Server
- SC748: IDS/IPS
- SC749: Load Balancer
- SC750: Message Broker
- SC751: Proxy Server
- SC752: Router
- SC753: Service Bus
- SC754: VPN Server
Updated Components
- SC13: PostgreSQL
  - INFO: Updated the title and implied attributes.
- SC76: Azure App Service
  - INFO: Updated the answer mapping and implied attributes.

2024.1

April 13, 2024

New features and enhancements

Library Profile Page
- Added the following Library Profile Page UI enhancements:
  - Ability to view built-in Profiles
  - Ability to deactivate custom profiles
  - Ability to select a profile as a default for the project survey
  - Ability to save copy a profile
    - Added the API capability to GET/POST/PATCH and Delete for profiles
Advanced Reports
- Users can now choose Library Countermeasure Tags or App Space Project Tag name as dimension or filters in Library based context.

Content improvements summary

OWASP API Top 10 2023
- Added a new compliance regulations for OWASP API Top 10 2023
- Added new Additional Requirements for OWASP API Top 10 2023
- Added text improvements for OWASP API Top 10 2023
SageMaker content
- Added 11 Countermeasures and their corresponding test tasks
- Added 9 new Weaknesses
Machine learning security content
- Added 7 Countermeasures and their corresponding test tasks
- Added 4 new Weaknesses
- Added 3 new Threats
SDE update based on Defending Database course
- Added 9 Countermeasures and their corresponding test tasks
- Added 8 new Weaknesses
SDE update based on Node.js course
- Added 4 new Additional Requirements
- Added 3 new How-to's

Content additions and updates (as of March 26, 2024):

Compliance Regulations and Mappings
- Added OWASP API Top 10
- Added ENISA - Securing Machine Learning Algorithms
Content Packs
- Added Machine Learning
- Added Enisa Securing Machine Learning Algorithms
T21: Ensure all data in transit is encrypted using a secure TLS channel
- I1888: Use TLS in Node.js [Added]
T22: Set secure flags on session cookies
- I1889: Node.js [Added]
T36: Escape untrusted data in HTML, HTML attributes, CSS, and JavaScript
- I1890: Node.js: Escape and sanitize [Added]
T50: Use indirect object reference maps if accessing files [Updated]
- INFO: Updated the text.
T159: Follow best practices for secure error and exception handling
- TA6548: Prevent information exposure using error messages in Web APIs [Added]
T285: Restrict use of access tokens (API tokens)
- TA6546: Use API Keys Safely in Your Web APIs [Added]
T330: Monitor and manage Node.js workload
- TA6553: Prevent Denial of Service attacks [Added]
T331: Enforce policies through content security policy (CSP) or XSS protection headers
- TA6552: Protection directives for Node.js [Added]
T335: Sanitize user input before passing to NoSQL operators
- P747: Improper Neutralization of Special Elements used in a NoSQL Command (NoSQL Injection) [Updated]
  - INFO: Updated the text.
T378: Authorize every request for data objects [Updated]
- INFO: Updated the text.
T1362: Perform message throttling in Web APIs [Updated]
- INFO: Updated the text.
- TA6543: Secure API Resource Consumption Guidelines [Added]
T1365: Mitigate Server Side Request Forgery [Updated]
- INFO: Updated the text.
T1368: Perform security testing using SAST tools
- TA6550: Use ESLint to identify problematic patterns [Added]
T1383: Separate development, test, and operational environments
- TA6549: Implement a formal version management strategy for web APIs [Added]
T1919: Use JSON Web Token (JWT) securely
- TA6547: Use Token-Based Authentication (With JWTs) Safely in Your Web APIs [Added]
T2139: Prevent information exposure through APIs [Updated]
- INFO: Updated the text.
T2211: Include a firmware update mechanism/feature (Hardware/Firmware)
- TA3497: Patch and upgrade software and firmware regularly (Bluetooth) [Updated]
  - INFO: Updated the match conditions.
T2348: Perform code reviews
- TA6551: Ensure using promises for code clarity [Added]
T2498: Provide clear definitions for each component
- TA6544: Secure API Documentation Guidelines [Added]
T2560: Launch notebook instances in custom VPC and disable internet access (SageMaker) [Added]
- P898: Using the default VPC (AWS) [Updated]
  - INFO: Updated the match conditions.
T2561: Protect ML model against input manipulation attacks [Added]
- P1749: Lack of data integrity and robustness against poisoning in ML data [Added]
T2562: Test ML model protection against input manipulation attacks [Added]
- P1749: Lack of data integrity and robustness against poisoning in ML data [Added]
T2563: Protect ML model against data poisoning and skewing attacks [Added]
- P1749: Lack of data integrity and robustness against poisoning in ML data [Added]
T2564: Test ML model protection against data poisoning and skewing attacks [Added]
- P1749: Lack of data integrity and robustness against poisoning in ML data [Added]
T2565: Protect ML model against inversion attacks [Added]
- P1750: Lack of model confidentiality and privacy protection in ML [Added]
T2566: Verify notebook instances are launched in custom VPC and internet access is disabled (SageMaker) [Added]
- P898: Using the default VPC (AWS) [Updated]
  - INFO: Updated the match conditions.
T2567: Test ML model protection against inversion attacks [Added]
- P1750: Lack of model confidentiality and privacy protection in ML [Added]
T2568: Disable user root access to notebook instances (SageMaker) [Added]
- P1748: Enabled user root access (SageMaker) [Added]
T2569: Verify user root access to notebook instances is disabled (SageMaker) [Added]
- P1748: Enabled user root access (SageMaker) [Added]
T2570: Isolate resources using domains (SageMaker) [Added]
- P1751: Lack of proper isolation of resources (SageMaker) [Added]
T2571: Verify that resources are associated with domains (SageMaker) [Added]
- P1751: Lack of proper isolation of resources (SageMaker) [Added]
T2572: Avoid confidential or sensitive information in tags or free-form text fields (SageMaker) [Added]
- P1754: Confidential or sensitive information in visible fields (SageMaker) [Added]
T2573: Verify no confidential or sensitive information in tags or free-form text fields (SageMaker) [Added]
- P1754: Confidential or sensitive information in visible fields (SageMaker) [Added]
T2574: Ensure identity-based policy best practices are followed (SageMaker) [Added]
- P1755: Implementation of poor access control policies (SageMaker) [Added]
T2575: Verify that identity-based policy best practices are followed (SageMaker) [Added]
- P1755: Implementation of poor access control policies (SageMaker) [Added]
T2576: Prevent Cross-service Confused Deputy (SageMaker) [Added]
- P1756: Cross-service Confused Deputy Vulnerability (SageMaker) [Added]
T2577: Verify that Cross-service Confused Deputy is prevented (SageMaker) [Added]
- P1756: Cross-service Confused Deputy Vulnerability (SageMaker) [Added]
T2578: Protect communications between compute instances in distributed training jobs (SageMaker) [Added]
- P1757: Lack of encrypted communication between training nodes (SageMaker) [Added]
T2579: Verify that communications between compute instances in distributed training jobs are encrypted (SageMaker) [Added]
- P1757: Lack of encrypted communication between training nodes (SageMaker) [Added]
T2580: Run training and inference containers in internet-free mode (SageMaker) [Added]
- P1758: Lack of Proper Internet Isolation in Training and Inference Containers (SageMaker) [Added]
T2581: Verify that training and inference containers run in internet-free mode (SageMaker) [Added]
- P1758: Lack of Proper Internet Isolation in Training and Inference Containers (SageMaker) [Added]
T2582: Implement security best practices for data protection (SageMaker) [Added]
- P1759: Lack of Security Best Practice Implementation (SageMaker) [Added]
T2583: Verify that data protection security best practices are implemented (SageMaker) [Added]
- P1759: Lack of Security Best Practice Implementation (SageMaker) [Added]
T2584: Ensure legal and regulatory compliance (SageMaker) [Added]
- P1770: Lack of compliance with applicable regulation [Added]
T2585: Verify adherence to legal and regulatory compliance (SageMaker) [Added]
- P1770: Lack of compliance with applicable regulation [Added]
T2586: Use shadow testing for model updates (SageMaker) [Added]
- P1760: Lack of Shadow Testing (SageMaker) [Added]
T2587: Verify that shadow testing is set up for model updates (SageMaker) [Added]
- P1760: Lack of Shadow Testing (SageMaker) [Added]
T2588: Prevent sensitive data exposure in ML models [Added]
- P1750: Lack of model confidentiality and privacy protection in ML [Added]
T2589: Test ML model prevention of sensitive data exposure [Added]
- P1750: Lack of model confidentiality and privacy protection in ML [Added]
T2590: Protect ML model against theft [Added]
- P1752: Lack of access control and model theft protection in ML [Added]
T2591: Test ML model protection against theft [Added]
- P1752: Lack of access control and model theft protection in ML [Added]
T2592: Protect ML model against supply chain attacks [Added]
- P1752: Lack of access control and model theft protection in ML [Added]
T2593: Test ML model protection against supply chain attacks [Added]
- P1752: Lack of access control and model theft protection in ML [Added]
T2594: Protect ML model against poisoning attacks [Added]
- P1753: Lack of model behavior integrity and manipulation protection in ML [Added]
T2595: Test ML model protection against poisoning attacks [Added]
- P1753: Lack of model behavior integrity and manipulation protection in ML [Added]
T2596: Prevent HTTP Request Smuggling [Added]
- P1747: HTTP Request Smuggling [Added]
T2597: Implement RBAC instead of individual accounts [Added]
- P1761: Lack of Role Based access control [Added]
T2598: Implement query-level access control [Added]
- P1762: Lack of granularity of Database access permissions [Added]
T2599: Protect against connection string parameter pollution [Added]
- P1763: Accessible database connection strings [Added]
T2600: Control the result set size returned by a query [Added]
- P1764: Lack of control over the size of result sets returned by queries [Added]
T2601: Use Transparent Data Encryption with Enterprise Databases [Added]
- P1765: Lack of Transparent Data Encryption in Databases [Added]
T2602: Log typical database and server activities and related metadata [Added]
- P1766: Lack of logging typical database and server activities [Added]
T2603: Protect backup archive bits [Added]
- P1767: Lack of protection for backup archive bits [Added]
T2604: Follow best practices for data restoring operations [Added]
- P1768: Lack of proper data restoring operations [Added]
T2605: Validate database traffic [Added]
- P1769: Lack of database traffic validation [Added]
T2606: Verify RBAC implemented instead of individual accounts [Added]
- P1761: Lack of Role Based access control [Added]
T2607: Verify query-level access control is implemented [Added]
- P1762: Lack of granularity of Database access permissions [Added]
T2608: Verify that the connection string is protected against connection string parameter pollution [Added]
- P1763: Accessible database connection strings [Added]
T2609: Verify that the result set size returned by queries are controlled [Added]
- P1764: Lack of control over the size of result sets returned by queries [Added]
T2610: Verify that Transparent Data Encryption is utilized with Enterprise Databases. [Added]
- P1765: Lack of Transparent Data Encryption in Databases [Added]
T2611: Verify that typical database and server activities, along with related metadata, are logged [Added]
- P1766: Lack of logging typical database and server activities [Added]
T2612: Verify backup archive bits are protected [Added]
- P1767: Lack of protection for backup archive bits [Added]
T2613: Verify best practices for data-restoring operations are followed [Added]
- P1768: Lack of proper data restoring operations [Added]
T2614: Verify database traffic is validated [Added]
- P1769: Lack of database traffic validation [Added]
P938: Non-preemptive Goroutines [Deactivated]
Components
- Amazon AMI [Added]
- Amazon API Gateway [Added]
- Amazon Aurora [Updated]
- Amazon CloudFront [Added]
- Amazon CloudWatch [Added]
- Amazon Cognito [Added]
- Amazon DynamoDB [Updated]
- Amazon EC2 [Added]
- Amazon ECS [Added]
- Amazon EKS [Added]
- AWS IAM [Updated]
- Amazon Kinesis Data Firehose [Added]
- Amazon Kinesis Data Streams [Added]
- AWS Lambda [Updated]
- Amazon RDS [Added]
- Amazon Route53 [Updated]
- Amazon S3 [Updated]
- Amazon SageMaker [Added]
- Amazon SNS [Added]
- Amazon SQS [Added]
- Amazon VPC [Added]
- Android App [Updated]
- Apache [Updated]
- Apache Tomcat [Updated]
- ASG [Added]
- Automotive Application [Added]
- AWS CloudTrail [Added]
- AWS Config [Added]
- AWS KMS [Added]
- AWS Service [Added]
- AWS WAF [Added]
- Azure Active Directory (Entra ID) [Updated]
- Azure App Service [Added]
- Azure Functions [Updated]
- Azure Key Vault [Added]
- Azure Kubernetes Service [Added]
- Azure Monitor [Added]
- Azure PostgreSQL Database [Added]
- Azure Resource Manager [Added]
- Azure Security Center [Added]
- Azure SQL Database [Updated]
- Azure Storage [Added]
- Azure Virtual Machines [Added]
- Azure Virtual Network [Added]
- Containerization Platform [Added]
- Docker [Added]
- EBS [Added]
- ELB [Added]
- Firmware [Added]
- Generic Component [Added]
- Database Server [Updated]
- Google BigQuery [Added]
- Google Cloud DNS [Updated]
- Google Cloud IAM [Updated]
- Google Cloud Key Management [Added]
- Google Cloud Logging [Added]
- Google Cloud SQL [Added]
- Google Cloud Storage [Updated]
- Google Compute Engine [Added]
- Google Kubernetes Engine [Added]
- Google Virtual Private Cloud [Added]
- Hardware [Added]
- Ansible [Added]
- Terraform [Added]
- WebSphere [Updated]
- In-house Application [Added]
- iOS App [Updated]
- LDAP [Disabled]
- Mainframe Application [Added]
- Managed Kubernetes [Added]
- Microsoft Active Directory [Disabled]
- Microsoft IIS [Updated]
- Microsoft SQL Server [Updated]
- Mobile App [Updated]
- MongoDB database [Disabled]
- MySQL Database [Updated]
- NGINX [Updated]
- NoSQL database [Disabled]
- On-premise [Added]
- Openshift [Added]
- Oracle Database [Updated]
- WebLogic [Updated]
- PayPal [Disabled]
- PostgreSQL [Disabled]
- SMTP server [Disabled]
- Software [Added]
- SQL Database [Updated]
- SQLite database [Disabled]
- SSO Provider [Disabled]
- System Level Security Requirements [Added]
- Unmanaged Kubernetes [Added]
- User [Disabled]
- Web Application - Backend [Updated]
- Web Application - Frontend [Added]
- Web Server [Added]
- Windows Application [Added]
Changes to Project Properties and Profiles
- Q262: External Dependencies
  - Q263: Software Updates [Updated]
    - INFO: Updated the description.
    - A1104: Has software/firmware update functionality [Updated]
      - INFO: Updated the description.
  - Q288: Service Chaining
    - A1141: Receives user requests through remote services [Updated]
      - INFO: Updated the description.
- Q284: Context and Characteristics
  - Q252: Application's Context and Characteristics
    - Q357: Artificial Intelligence/Machine Learning
      - A1367: Builds and deploys machine learning (ML) models [Added]
- Q289: Cloud Computing
  - Q290: Cloud Providers
    - Q298: AWS Services
      - A1366: SageMaker [Added]

results matching ""

No results matching ""