CIS Azure 1.3.1 to 1.5.0
The following sections list the differences between the CIS Azure 1.3.1 and CIS Azure 1.5.0 benchmark policies.
CIS Azure 1.3.1 to 1.5.0 Mapping
The table below lists the mapping of policies between CIS Azure 1.3.1 and 1.5.0, including assessment type and severity differences:
tip
Click anywhere on the table and use the arrow keys on your keyboard to scroll left or right.
| CIS 1.3.1 Policy ID | CIS 1.3.1 Assessment Type | Lacework 1.3.1 Assessment Type | 1.3.1 Severity | CIS 1.5.0 Policy ID | CIS 1.5.0 Control ID | CIS 1.5.0 Assessment Type | Lacework 1.5.0 Assessment Type | 1.5.0 Severity | Notes |
|---|---|---|---|---|---|---|---|---|---|
| Azure_CIS_131_1_1 | Manual | Manual | High | lacework-global-514 | 1.1.2 | Manual | Manual | High | |
| Azure_CIS_131_1_2 | Manual | Manual | Medium | lacework-global-597 | 1.1.3 | Manual | Manual | Medium | |
| Azure_CIS_131_1_3 | Automated | Manual | Medium | lacework-global-499 | 1.4 | Manual | Manual | Medium | |
| Azure_CIS_131_1_4 | Manual | Manual | Medium | lacework-global-500 | 1.5 | Manual | Manual | High | |
| Azure_CIS_131_1_5 | Manual | Manual | High | lacework-global-501 | 1.6 | Manual | Manual | High | |
| Azure_CIS_131_1_6 | Manual | Manual | High | lacework-global-503 | 1.8 | Manual | Manual | High | |
| Azure_CIS_131_1_7 | Manual | Manual | High | lacework-global-504 | 1.9 | Manual | Manual | High | |
| Azure_CIS_131_1_8 | Manual | Manual | High | lacework-global-505 | 1.10 | Manual | Manual | High | |
| Azure_CIS_131_1_9 | Manual | Manual | Medium | lacework-global-506 | 1.12 | Manual | Manual | Medium | |
| Azure_CIS_131_1_10 | Manual | Manual | High | lacework-global-507 | 1.13 | Manual | Manual | High | |
| Azure_CIS_131_1_11 | Manual | Manual | High | lacework-global-508 | 1.14 | Manual | Manual | High | |
| Azure_CIS_131_1_12 | Manual | Manual | High | lacework-global-509 | 1.15 | Manual | Manual | High | |
| Azure_CIS_131_1_13 | Manual | Manual | Critical | N/A | N/A | N/A | N/A | N/A | See Additional Notes. |
| Azure_CIS_131_1_14 | Manual | Manual | Critical | lacework-global-590 | 1.16 | Manual | Manual | Critical | |
| Azure_CIS_131_1_15 | Manual | Manual | Critical | lacework-global-510 | 1.17 | Manual | Manual | Critical | |
| Azure_CIS_131_1_16 | Manual | Manual | High | lacework-global-591 | 1.18 | Manual | Manual | High | |
| Azure_CIS_131_1_17 | Manual | Manual | High | lacework-global-592 | 1.19 | Manual | Manual | High | |
| Azure_CIS_131_1_18 | Manual | Manual | High | lacework-global-593 | 1.20 | Manual | Manual | High | |
| Azure_CIS_131_1_19 | Manual | Manual | High | lacework-global-594 | 1.21 | Manual | Manual | High | |
| Azure_CIS_131_1_20 | Manual | Manual | Medium | lacework-global-511 | 1.22 | Manual | Manual | Medium | |
| Azure_CIS_131_1_21 | Automated | Automated | High | lacework-global-512 | 1.23 | Automated | Automated | Medium | |
| Azure_CIS_131_1_22 | Automated | Manual | High | lacework-global-513 | 1.1.1 | Manual | Manual | High | |
| Azure_CIS_131_1_23 | Manual | Manual | Medium | lacework-global-595 | 1.24 | Manual | Manual | Medium | |
| Azure_CIS_131_2_1 | Manual | Manual | Medium | lacework-global-598 | 2.1.1 | Manual | Manual | Medium | |
| Azure_CIS_131_2_2 | Manual | Manual | Medium | lacework-global-599 | 2.1.2 | Manual | Manual | Medium | |
| Azure_CIS_131_2_3 | Manual | Manual | Medium | lacework-global-601 | 2.1.4 | Manual | Manual | Medium | |
| Azure_CIS_131_2_4 | Manual | Manual | Medium | lacework-global-602 | 2.1.5 | Manual | Manual | Medium | |
| Azure_CIS_131_2_5 | Manual | Manual | Medium | lacework-global-604 | 2.1.7 | Manual | Manual | Medium | |
| Azure_CIS_131_2_6 | Manual | Manual | Medium | N/A | N/A | N/A | N/A | N/A | See Additional Notes. |
| Azure_CIS_131_2_7 | Manual | Manual | Medium | lacework-global-605 | 2.1.8 | Manual | Manual | Medium | |
| Azure_CIS_131_2_8 | Manual | Manual | Medium | lacework-global-607 | 2.1.10 | Manual | Manual | Medium | |
| Azure_CIS_131_2_9 | Manual | Manual | Medium | lacework-global-614 | 2.4.2 | Manual | Manual | Medium | |
| Azure_CIS_131_2_10 | Manual | Manual | Medium | lacework-global-613 | 2.4.1 | Manual | Manual | Medium | |
| Azure_CIS_131_2_11 | Automated | Automated | High | lacework-global-524 | 2.2.1 | Automated | Manual | High | Released manual |
| Azure_CIS_131_2_12 | Manual | Manual | High | lacework-global-523 | 2.6 | Manual | Manual | Medium | |
| Azure_CIS_131_2_13 | Automated | Automated | High | lacework-global-526 | 2.3.2 | Automated | Manual | High | Released manual |
| Azure_CIS_131_2_14 | Automated | Automated | High | lacework-global-527 | 2.3.3 | Automated | Manual | High | Released manual |
| Azure_CIS_131_2_15 | Automated | Automated | High | lacework-global-525 | 2.3.1 | Automated | Manual | High | Released manual |
| Azure_CIS_131_3_1 | Automated | Automated | High | lacework-global-528 | 3.1 | Automated | Automated | High | |
| Azure_CIS_131_3_2 | Manual | Manual | High | lacework-global-530 | 3.4 | Manual | Manual | High | |
| Azure_CIS_131_3_3 | Manual | Automated | High | lacework-global-616 | 3.5 | Automated | Manual | High | Released manual |
| Azure_CIS_131_3_4 | Manual | Manual | High | lacework-global-531 | 3.6 | Manual | Manual | High | |
| Azure_CIS_131_3_5 | Automated | Automated | Critical | lacework-global-532 | 3.7 | Automated | Automated | Critical | |
| Azure_CIS_131_3_6 | Automated | Automated | High | lacework-global-533 | 3.8 | Automated | Automated | High | |
| Azure_CIS_131_3_7 | Manual | Automated | High | lacework-global-617 | 3.9 | Automated | Automated | High | |
| Azure_CIS_131_3_8 | Automated | Automated | High | lacework-global-535 | 3.11 | Automated | Manual | High | Released manual |
| Azure_CIS_131_3_9 | Automated | Manual | High | lacework-global-618 | 3.12 | Manual | Manual | High | |
| Azure_CIS_131_3_10 | Manual | Automated | High | lacework-global-619 | 3.13 | Automated | Manual | High | Released manual |
| Azure_CIS_131_3_11 | Manual | Automated | High | lacework-global-620 | 3.14 | Automated | Manual | High | Released manual |
| Azure_CIS_131_4_1_1 | Automated | Automated | High | lacework-global-537 | 4.1.1 | Automated | Manual | High | Released manual |
| Azure_CIS_131_4_1_2 | Automated | Automated | High | lacework-global-540 | 4.1.5 | Automated | Automated | High | |
| Azure_CIS_131_4_1_3 | Automated | Automated | High | lacework-global-541 | 4.1.6 | Automated | Manual | High | Released manual |
| Azure_CIS_131_4_2_1 | Automated | Automated | High | lacework-global-622 | 4.2.1 | Automated | Automated | High | Released on 1st March 2023. |
| Azure_CIS_131_4_2_2 | Automated | Automated | Medium | lacework-global-623 | 4.2.2 | Automated | Automated | Medium | Released on 1st March 2023. |
| Azure_CIS_131_4_2_3 | Automated | Automated | Medium | lacework-global-624 | 4.2.3 | Automated | Automated | Medium | Released on 1st March 2023. |
| Azure_CIS_131_4_2_4 | Automated | Automated | Medium | lacework-global-625 | 4.2.4 | Automated | Automated | Medium | Released on 1st March 2023. |
| Azure_CIS_131_4_2_5 | Automated | Automated | Medium | lacework-global-542 | 4.2.5 | Automated | Automated | Medium | Released on 1st March 2023. |
| Azure_CIS_131_4_3_1 | Automated | Automated | High | lacework-global-543 | 4.3.1 | Automated | Automated | High | |
| Azure_CIS_131_4_3_2 | Automated | Automated | High | lacework-global-551 | 4.4.1 | Automated | Automated | High | |
| Azure_CIS_131_4_3_3 | Automated | Automated | High | lacework-global-544 | 4.3.2 | Automated | Automated | High | Released on 1st March 2023. |
| Azure_CIS_131_4_3_4 | Automated | Automated | High | lacework-global-545 | 4.3.3 | Automated | Automated | High | Released on 1st March 2023. |
| Azure_CIS_131_4_3_5 | Automated | Automated | High | lacework-global-546 | 4.3.4 | Automated | Automated | High | Released on 1st March 2023. |
| Azure_CIS_131_4_3_6 | Automated | Automated | High | lacework-global-547 | 4.3.5 | Automated | Automated | High | Released on 1st March 2023. |
| Azure_CIS_131_4_3_7 | Automated | Automated | High | lacework-global-548 | 4.3.6 | Automated | Automated | High | Released on 1st March 2023. |
| Azure_CIS_131_4_3_8 | Manual | Manual | High | lacework-global-549 | 4.3.7 | Manual | Automated | High | Automated on 1st March 2023. |
| Azure_CIS_131_4_4 | Automated | Automated | High | lacework-global-539 | 4.1.4 | Automated | Automated | High | Released on 1st March 2023. |
| Azure_CIS_131_4_5 | Automated | Automated | High | lacework-global-621 | 4.1.3 | Automated | Automated | High | |
| Azure_CIS_131_5_1_1 | Automated | Manual | Low | lacework-global-554 | 5.1.1 | Manual | Manual | Low | |
| Azure_CIS_131_5_1_2 | Automated | Automated | Low | lacework-global-555 | 5.1.2 | Automated | Automated | Low | |
| Azure_CIS_131_5_1_3 | Automated | Automated | High | lacework-global-556 | 5.1.3 | Automated | Manual | High | Released manual |
| Azure_CIS_131_5_1_4 | Automated | Automated | Medium | lacework-global-630 | 5.1.4 | Automated | Manual | Medium | Released manual |
| Azure_CIS_131_5_1_5 | Automated | Automated | High | lacework-global-557 | 5.1.5 | Automated | Automated | High | |
| Azure_CIS_131_5_2_1 | Automated | Automated | Medium | lacework-global-558 | 5.2.1 | Automated | Automated | Medium | |
| Azure_CIS_131_5_2_2 | Automated | Automated | Medium | lacework-global-559 | 5.2.2 | Automated | Automated | Medium | |
| Azure_CIS_131_5_2_3 | Automated | Automated | HIgh | lacework-global-560 | 5.2.3 | Automated | Automated | High | |
| Azure_CIS_131_5_2_4 | Automated | Automated | High | lacework-global-561 | 5.2.4 | Automated | Automated | High | |
| Azure_CIS_131_5_2_5 | Automated | Automated | High | N/A | N/A | N/A | N/A | N/A | See Additional Notes. |
| Azure_CIS_131_5_2_6 | Automated | Automated | High | N/A | N/A | N/A | N/A | N/A | See Additional Notes. |
| Azure_CIS_131_5_2_7 | Automated | Automated | High | lacework-global-562 | 5.2.5 | Automated | Automated | High | |
| Azure_CIS_131_5_2_8 | Automated | Automated | High | lacework-global-563 | 5.2.6 | Automated | Automated | High | |
| Azure_CIS_131_5_2_9 | Automated | Automated | High | lacework-global-564, lacework-global-565 | 5.2.7, 5.2.8 | Automated | Automated | High | |
| Azure_CIS_131_5_3 | Automated | Manual | High | lacework-global-553 | 5.3 | Manual | Manual | High | |
| Azure_CIS_131_6_1 | Automated | Automated | High | lacework-global-568 | 6.1 | Automated | Automated | High | |
| Azure_CIS_131_6_2 | Automated | Automated | High | lacework-global-569 | 6.2 | Automated | Automated | High | |
| Azure_CIS_131_6_3 | Automated | Automated | High | lacework-global-538 | 4.1.2 | Automated | Automated | High | Released on 1st March 2023. |
| Azure_CIS_131_6_4 | Automated | Automated | Medium | lacework-global-633 | 6.5 | Automated | Automated | Medium | |
| Azure_CIS_131_6_5 | Manual | Manual | High | lacework-global-634 | 6.6 | Manual | Automated | High | |
| Azure_CIS_131_6_6 | Automated | Automated | Medium | lacework-global-570 | 6.3 | Automated | Automated | Medium | |
| Azure_CIS_131_7_1 | Manual | Manual | Info | lacework-global-573 | 7.1 | Manual | Automated | Info | |
| Azure_CIS_131_7_2 | Automated | Automated | High | lacework-global-635 | 7.2 | Automated | Automated | High | |
| Azure_CIS_131_7_3 | Automated | Automated | High | lacework-global-636 | 7.3 | Automated | Automated | High | |
| Azure_CIS_131_7_4 | Manual | Manual | High | lacework-global-574 | 7.4 | Manual | Manual | High | |
| Azure_CIS_131_7_5 | Manual | Manual | High | lacework-global-522 | 2.5 | Manual | Manual | High | |
| Azure_CIS_131_7_6 | Manual | Manual | Medium | lacework-global-637 | 7.5 | Manual | Manual | Medium | |
| Azure_CIS_131_7_7 | Manual | Manual | High | lacework-global-638 | 7.6 | Manual | Manual | Medium | |
| Azure_CIS_131_8_1 | Automated | Manual | High | lacework-global-575, lacework-global-576 | 8.1, 8.2 | Automated | Automated | High | Unreleased |
| Azure_CIS_131_8_2 | Automated | Manual | High | lacework-global-577, lacework-global-578 | 8.3, 8.4 | Automated | Automated | High | Unreleased |
| Azure_CIS_131_8_3 | Manual | Manual | Critical | lacework-global-645 | 10.1 | Manual | Manual | Critical | |
| Azure_CIS_131_8_4 | Automated | Automated | High | lacework-global-579 | 8.5 | Automated | Automated | High | |
| Azure_CIS_131_8_5 | Automated | Automated | Medium | N/A | N/A | N/A | N/A | N/A | See Additional Notes. |
| Azure_CIS_131_9_1 | Automated | Automated | Medium | lacework-global-642 | 9.1 | Automated | Automated | Medium | |
| Azure_CIS_131_9_2 | Automated | Automated | High | lacework-global-580 | 9.2 | Automated | Automated | High | |
| Azure_CIS_131_9_3 | Automated | Automated | Medium | lacework-global-581 | 9.3 | Automated | Automated | Medium | |
| Azure_CIS_131_9_4 | Automated | Automated | High | lacework-global-643 | 9.4 | Automated | Automated | High | |
| Azure_CIS_131_9_5 | Automated | Automated | Medium | lacework-global-582 | 9.5 | Automated | Automated | Medium | |
| Azure_CIS_131_9_6 | Manual | Manual | Medium | lacework-global-583 | 9.6 | Manual | Manual | Medium | |
| Azure_CIS_131_9_7 | Manual | Manual | Medium | lacework-global-584 | 9.7 | Manual | Manual | Medium | |
| Azure_CIS_131_9_8 | Manual | Manual | Medium | lacework-global-585 | 9.8 | Manual | Manual | Medium | |
| Azure_CIS_131_9_9 | Manual | Manual | Medium | lacework-global-586 | 9.9 | Automated | Automated | Medium | |
| Azure_CIS_131_9_10 | Automated | Automated | Medium | lacework-global-587 | 9.10 | Automated | Automated | Medium | |
| Azure_CIS_131_9_11 | Manual | Manual | Medium | lacework-global-644 | 9.11 | Manual | Manual | Medium |
Additional Notes
- Azure_CIS_131_1_13 - Azure merged the 'Guest can Invite' and 'Members Can Invite' options into one setting called 'Guest invite restrictions', so 1.13 and 1.14 (in v1.3.1) were merged for future versions.
- Azure_CIS_131_2_6 - Updates to Azure Defender plans resulted in 2.6 and 2.7 (in v1.3.1) being merged for future versions.
- Azure_CIS_131_5_2_5 - Removed following Azure updates.
- Azure_CIS_131_5_2_6 - Removed following Azure updates.
- Azure_CIS_131_8_5 - Moved to CIS Azure Kubernetes Service (AKS) Benchmark (Control ID 5.5.2 in v1.2.0).
New Policies in CIS Azure 1.5.0
All the new v1.5.0 policies (that were not in v1.3.1) are listed in the table below:
| CIS Control ID and Title | Lacework Policy ID | CIS Assessment Type | Lacework Assessment Type | Severity | Notes |
|---|---|---|---|---|---|
| 1.1.4 Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled | lacework-global-515 | Manual | Manual | Medium | |
| 1.2.1 Ensure Trusted Locations Are Defined | lacework-global-516 | Manual | Manual | Medium | |
| 1.2.2 Ensure that an exclusionary Geographic Access Policy is considered | lacework-global-517 | Manual | Manual | Low | |
| 1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups | lacework-global-518 | Manual | Manual | High | |
| 1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users | lacework-global-519 | Manual | Manual | High | |
| 1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins | lacework-global-520 | Manual | Manual | High | |
| 1.2.6 Ensure Multi-factor Authentication is Required for Azure Management | lacework-global-521 | Manual | Manual | High | |
| 1.3 Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management | lacework-global-588 | Manual | Manual | Low | |
| 1.7 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization | lacework-global-502 | Manual | Manual | High | |
| 1.11 Ensure That ‘Users Can Consent to Apps Accessing Company Data on Their Behalf’ Is Set To ‘Allow for Verified Publishers’ | lacework-global-589 | Manual | Manual | Medium | |
| 1.25 Ensure That ‘Subscription Entering AAD Directory’ and ‘Subscription Leaving AAD Directory’ Is Set To ‘Permit No One’ | lacework-global-596 | Manual | Manual | High | |
| 2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On' | lacework-global-600 | Manual | Manual | Medium | |
| 2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | lacework-global-603 | Manual | Manual | Medium | |
| 2.1.9 Ensure That Microsoft Defender for Cosmos DB Is Set To 'On' | lacework-global-606 | Manual | Manual | Medium | |
| 2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On' | lacework-global-608 | Manual | Manual | Medium | |
| 2.1.12 Ensure That Microsoft Defender for IoT Is Set To 'On' | lacework-global-609 | Manual | Manual | Medium | |
| 2.1.13 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | lacework-global-610 | Manual | Manual | Medium | |
| 2.2.2 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' | lacework-global-611 | Automated | Manual | Medium | Released manual |
| 2.2.3 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | lacework-global-612 | Automated | Manual | Medium | Released manual |
| 3.2 Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’ | lacework-global-615 | Manual | Automated | Low | |
| 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account | lacework-global-529 | Manual | Manual | Medium | |
| 3.10 Ensure Private Endpoints are used to access Storage Accounts | lacework-global-534 | Manual | Automated | Medium | |
| 3.15 Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" | lacework-global-536 | Automated | Automated | Medium | |
| 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | lacework-global-550 | Automated | Automated | Medium | Released on 1st March 2023. |
| 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | lacework-global-552 | Automated | Automated | Medium | Released on 1st March 2023. |
| 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server | lacework-global-626 | Manual | Manual | Medium | |
| 4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server | lacework-global-627 | Manual | Manual | Medium | |
| 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks | lacework-global-628 | Manual | Automated | Medium | |
| 4.5.2 Ensure That Private Endpoints Are Used Where Possible | lacework-global-629 | Manual | Automated | Medium | |
| 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | lacework-global-631 | Manual | Manual | Low | |
| 5.1.7 Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabled | lacework-global-632 | Manual | Manual | Medium | |
| 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule | lacework-global-566 | Automated | Automated | High | |
| 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule | lacework-global-567 | Automated | Automated | High | |
| 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted | lacework-global-571 | Automated | Automated | High | |
| 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis | lacework-global-572 | Manual | Manual | Medium | |
| 8.6 Enable Role Based Access Control for Azure Key Vault | lacework-global-639 | Manual | Automated | High | Automated on 1st March 2023. |
| 8.7 Ensure that Private Endpoints are Used for Azure Key Vault | lacework-global-640 | Manual | Automated | Medium | Automated on 1st March 2023. |
| 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services | lacework-global-641 | Manual | Manual | High |