From Azure Portal Part A - List all disabled policies 1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Under Management, select Environment Settings 4. Select the appropriate Subscription 5. Click on Security policies in the left column 6. Click on Microsoft cloud security benchmark 7. Click Add Filter and select Effect 8. Check the Disabled box to search for all disabled policies 9. Click Apply Part B - Remediate Policy Effect For each policy that remains in the list: 1. Click the blue ellipses ... to the right of the policy name 2. Click Manage effect and parameters 3. Under Policy effect, select the Audit radio button 4. Click Save 5. Click Refresh Repeat &quot;Part B - Remediate Policy Effect&quot; until no more policies are listed. Once verified, enter the date that this attestation expires. Note that the date can not be further in the future than is specified in report level Maximum Attestation Duration policy. Set to a blank value to clear the attestation.

Azure > Management Group

Azure > Subscription

Azure > Tenant

Turbot > Folder

Turbot

Turbot > IAM > Turbot Identity

Turbot > IAM > Unidentified Identity

Azure > Active Directory > Directory

Kubernetes > Cluster

GCP > Project

GitHub > Repository

AWS > Account

ServiceNow > Instance

GCP > Compute Engine > Disk

GCP > Compute Engine > Image

GCP > Compute Engine > Instance

GCP > Compute Engine > Region Disk

GCP > Compute Engine > Snapshot

GCP > Composer > Environment

GCP > Network > Forwarding Rule

GCP > Network > Global Forwarding Rule

GCP > Network > VPN Tunnel

GCP > Bigtable > Instance

GCP > BigQuery > Dataset

GCP > BigQuery > Table

GCP > Memorystore > Instance

GCP > Spanner > Instance

GCP > DNS > Managed Zone

GCP > Vertex AI > Endpoint

GCP > KMS > Crypto Key

GCP > Kubernetes Engine > Region Cluster

GCP > Kubernetes Engine > Zone Cluster

GCP > Dataplex > Lake

GCP > Dataplex > Task

GCP > Dataplex > Zone

GCP > Storage > Bucket

GCP > Secret Manager > Secret

GCP > SQL > Instance

GCP > Dataproc > Cluster

GCP > Dataproc > Job

GCP > Dataproc > Workflow Template

GCP > Pub/Sub > Snapshot

GCP > Pub/Sub > Subscription

GCP > Pub/Sub > Topic

GCP > App Engine > Service

Azure > AKS > Managed Cluster

Azure > DNS > Zone

Azure > DNS > Record Set

Azure > PostgreSQL > Flexible Server

Azure > PostgreSQL > Server

Azure > Monitor > Action Group

Azure > Monitor > Metric Alert

Azure > SQL > Database

Azure > SQL > Elastic Pool

Azure > SQL > Managed Instance

Azure > SQL > Server

Azure > Container Registry > Registry

Azure > Firewall > Firewall

Azure > Data Factory > Factory

Azure > Managed Identity > User Assigned Identity

Azure > Storage > Storage Account

Azure > Log Analytics > Log Analytics Workspace

Azure > API Management > API Management Service

Azure > Application Gateway Service > Application Gateway

Azure > Databricks > Workspace

Azure > SQL Virtual Machine Service > SQL Virtual Machine

Azure > Cosmos DB > Database Account

Azure > Relay > Namespace

Azure > Automation > Automation Account

Azure > Automation > Runbook

Azure > Service Bus > Namespace

Azure > Key Vault > Vault

Azure > SignalR Service > SignalR

Azure > Network Watcher > Network Watcher

Azure > Synapse Analytics > SQL Pool

Azure > Synapse Analytics > Workspace

Azure > Resource Group

Azure > Application Insights > Application Insight

Azure > App Service > App Service Plan

Azure > App Service > Web App

Azure > Search Management > Search Service

Azure > MySQL > Flexible Server

Azure > MySQL > Server [Deprecated]

Azure > Recovery Service > Vault

Azure > Load Balancer > Load Balancer

Azure > Network > Application Security Group

Azure > Network > Bastion Host

Azure > Network > Express Route Circuits

Azure > Network > Network Interface

Azure > Network > Network Security Group

Azure > Network > Private DNS Zones

Azure > Network > Private Endpoints

Azure > Network > Public IP Address

Azure > Network > Route Table

Azure > Network > Virtual Network

Azure > Network > Virtual Network Gateway

Azure > Network > Private Link Service

Azure > Compute > Availability Set

Azure > Compute > Disk

Azure > Compute > Disk Encryption Set

Azure > Compute > Image

Azure > Compute > Snapshot

Azure > Compute > Ssh Public Key

Azure > Compute > Virtual Machine

Azure > Compute > Virtual Machine Scale Set

AWS > Kinesis > Stream

AWS > Kinesis > Kinesis Video Stream

AWS > Well-Architected Tool > Workload

AWS > DMS > Endpoint

AWS > DMS > Replication Instance

AWS > VPC > Egress Only Internet Gateway

GCP > Folder

AWS > Region

AWS > EC2 > Instance

From Azure Portal&#92;n&#92;nPart A - List all disabled policies&#92;n  1. From Azure Home select the Portal Menu&#92;n  2. Select Microsoft Defender for Cloud&#92;n  3. Under Management, select Environment Settings&#92;n  4. Select the appropriate Subscription&#92;n  5. Click on Security policies in the left column&#92;n  6. Click on Microsoft cloud security benchmark&#92;n  7. Click Add Filter and select Effect&#92;n  8. Check the Disabled box to search for all disabled policies&#92;n  9. Click Apply&#92;n&#92;nPart B - Remediate Policy Effect&#92;nFor each policy that remains in the list:&#92;n  1. Click the blue ellipses ... to the right of the policy name&#92;n  2. Click Manage effect and parameters&#92;n  3. Under Policy effect, select the Audit radio button&#92;n  4. Click Save&#92;n  5. Click Refresh&#92;n&#92;nRepeat &quot;Part B - Remediate Policy Effect&quot; until no more policies are listed.&#92;n&#92;nOnce verified, enter the date that this attestation expires. Note that the&#92;ndate can not be further in the future than is specified in&#92;nreport level Maximum Attestation Duration policy.&#92;nSet to a blank value to clear the attestation.&#92;n

Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to &#39;Disabled&#39;

Azure > Security Center > Security Center

Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to &#39;Disabled&#39; > Attestation

Policy: Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' > Attestation

Targets

Primary Policy

Policy Specification

Category

In Your Workspace

Developers