@cyberstrike-io/cyberstrike 1.1.9 → 1.1.10-beta.1

package/skill/CIS_benchmarks/Azure/CIS_Microsoft_Azure_Compute_Services_Benchmark_v2.0.0/cis-azure-compute-2.3.11/SKILL.md

@@ -0,0 +1,97 @@
+---
+name: cis-azure-compute-2.3.11
+description: "Ensure 'App Service authentication' is set to 'Enabled'"
+category: cis-azure-compute
+version: "2.0.0"
+author: cyberstrike-official
+tags: [cis, azure, function-apps, app-service-auth, authentication, identity]
+cis_id: "2.3.11"
+cis_benchmark: "CIS Microsoft Azure Compute Services Benchmark v2.0.0"
+tech_stack: [azure]
+cwe_ids: []
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure 'App Service authentication' is set to 'Enabled'
+
+## Description
+App Service authentication can prevent anonymous HTTP requests from reaching an app, or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a login page. To handle the login process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.
+
+## Rationale
+By enabling authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Entra ID, Facebook, Google, Microsoft Account, and Twitter), validation, storage and refreshing of tokens, managing the authenticated sessions, and injecting identity information into request headers.
+
+## Impact
+This is only required for apps that require authentication. Enabling it on a site like a marketing or support website will prevent unauthenticated access, which would be undesirable.
+
+Adding an authentication requirement will increase costs and require additional security components to facilitate the authentication.
+
+## Audit Procedure
+
+### Using Azure Portal
+1. Go to `App Services` or `Function App`.
+2. Click the name of a function app.
+3. Under `Settings`, click `Authentication`.
+4. Ensure that `App Service authentication` is set to `Enabled`.
+5. Repeat steps 1-4 for each function app.
+
+### Using Azure CLI
+Run the following command to list function apps:
+```bash
+az functionapp list
+```
+
+For each function app, run the following command to get the authentication setting:
+
+For v1 auth commands:
+```bash
+az webapp auth show --resource-group <resource-group-name> --name <function-app-name> --query enabled
+```
+
+For v2 auth commands:
+```bash
+az webapp auth show --resource-group <resource-group-name> --name <function-app-name> --query properties.platform.enabled
+```
+
+Ensure that `true` is returned.
+
+## Expected Result
+App Service authentication should be `enabled` (return `true`).
+
+## Remediation
+
+### Using Azure Portal
+1. Go to `App Services` or `Function App`.
+2. Click the name of a function app.
+3. Under `Settings`, click `Authentication`.
+4. If an identity provider is not configured:
+   1. Click `Add identity provider`.
+   2. Provide appropriate configuration for an identity provider and click `Add`.
+5. If `App Service authentication` is set to `Disabled`:
+   1. Click `Enable authentication`.
+6. Repeat steps 1-5 for each function app requiring remediation.
+
+### Using Azure CLI
+For each function app requiring remediation, run the following command to enable authentication:
+```bash
+az webapp auth update --resource-group <resource-group-name> --name <function-app-name> --enabled true
+```
+
+**Note:** In order to access `App Service authentication` settings for an app using the Microsoft API, the `Website Contributor` permission at the subscription level is required. A custom role can be created instead of `Website Contributor` to provide more specific permissions and maintain the principle of least privileged access.
+
+## Default Value
+By default, `App Service authentication` is set to `Disabled`.
+
+## Additional Information
+You're not required to use App Service for authentication and authorization. Many web frameworks come with security features built in, and you can use them if you like. If you need more flexibility than App Service provides, you can also write your own utilities. Secure authentication and authorization require a deep understanding of security, including federation, encryption, JSON Web Token (JWT) management, grant types, and so on.
+
+## References
+1. https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
+2. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor
+3. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements
+4. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy
+5. https://learn.microsoft.com/en-us/cli/azure/webapp/auth
+
+## Profile
+Level 2 | Automated

package/skill/CIS_benchmarks/Azure/CIS_Microsoft_Azure_Compute_Services_Benchmark_v2.0.0/cis-azure-compute-2.3.12/SKILL.md

@@ -0,0 +1,92 @@
+---
+name: cis-azure-compute-2.3.12
+description: "Ensure managed identities are configured"
+category: cis-azure-compute
+version: "2.0.0"
+author: cyberstrike-official
+tags: [cis, azure, function-apps, managed-identity, entra-id, credential-management]
+cis_id: "2.3.12"
+cis_benchmark: "CIS Microsoft Azure Compute Services Benchmark v2.0.0"
+tech_stack: [azure]
+cwe_ids: []
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure managed identities are configured
+
+## Description
+Managed identities from Microsoft Entra ID allow function apps to securely access other Azure services without the need to provision or rotate any secrets.
+
+## Rationale
+Using managed identities with function apps eliminates the need to store and manage credentials to access Azure resources.
+
+## Impact
+Minor administrative overhead to configure and manage role assignments for managed identities.
+
+## Audit Procedure
+
+### Using Azure Portal
+1. Go to `App Services` or `Function App`.
+2. Click the name of a function app.
+3. Under `Settings`, click `Identity`.
+4. Ensure that in the `System assigned` pane, the `Status` is set to `On`, and an `Object (principal) ID` is displayed, or that in the `User assigned` pane, a managed identity is listed.
+5. Repeat steps 1-4 for each function app.
+
+### Using Azure CLI
+Run the following command to list function apps:
+```bash
+az functionapp list
+```
+
+For each function app, run the following command to get the identity setting:
+```bash
+az functionapp show --resource-group <resource-group-name> --name <function-app-name> --query "identity"
+```
+
+Ensure that `type` is set to `SystemAssigned`, `UserAssigned`, or both.
+
+## Expected Result
+The identity `type` should be set to `SystemAssigned`, `UserAssigned`, or both.
+
+## Remediation
+
+### Using Azure Portal
+1. Go to `App Services` or `Function App`.
+2. Click the name of a function app.
+3. Under `Settings`, click `Identity`.
+4. To add a system assigned managed identity:
+   1. In the `System assigned` pane, under `Status`, click `On`.
+   2. Click `Save`.
+   3. Click `Yes`.
+5. To add a user assigned managed identity:
+   1. In the `User assigned` pane, click `Add`.
+   2. Use the filter box to search for a managed identity.
+   3. Select the identity.
+   4. Click `Add`.
+6. Repeat steps 1-5 for each function app requiring remediation.
+
+### Using Azure CLI
+For each function app requiring remediation, run the following command to assign a system-assigned managed identity:
+```bash
+az functionapp identity assign --resource-group <resource-group-name> --name <function-app-name>
+```
+
+### Using Azure PowerShell
+For each function app requiring remediation, run the following command to assign a system-assigned managed identity:
+```powershell
+Update-AzFunctionApp -ResourceGroupName <resource-group-name> -Name <function-app-name> -IdentityType SystemAssigned -Force
+```
+
+## Default Value
+Managed identities are disabled by default for function apps.
+
+## References
+1. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management#im-1-use-centralized-identity-and-authentication-system
+2. https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity
+3. https://learn.microsoft.com/en-us/cli/azure/functionapp
+4. https://learn.microsoft.com/en-us/powershell/module/az.functions/update-azfunctionapp
+
+## Profile
+Level 1 | Automated

package/skill/CIS_benchmarks/Azure/CIS_Microsoft_Azure_Compute_Services_Benchmark_v2.0.0/cis-azure-compute-2.3.13/SKILL.md

@@ -0,0 +1,89 @@
+---
+name: cis-azure-compute-2.3.13
+description: "Ensure public network access is disabled"
+category: cis-azure-compute
+version: "2.0.0"
+author: cyberstrike-official
+tags: [cis, azure, function-apps, public-network-access, network-security, private-endpoints]
+cis_id: "2.3.13"
+cis_benchmark: "CIS Microsoft Azure Compute Services Benchmark v2.0.0"
+tech_stack: [azure]
+cwe_ids: []
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure public network access is disabled
+
+## Description
+Disable public network access to prevent exposure to the internet and reduce the risk of unauthorized access. Use private endpoints to securely manage access within trusted networks.
+
+## Rationale
+Disabling public network access improves security by ensuring that the service is not directly exposed to the public Internet. This has the added benefit of providing more granular control over security settings and configurations for those additional layers of separation.
+
+## Impact
+**NOTE:** Prior to disabling public network access, it is strongly recommended that, for each function app, either:
+
+- complete virtual network integration as described in "Ensure app is integrated with a virtual network"
+
+OR
+
+- set up private endpoints/links as described in "Ensure private endpoints are used to access App Service apps."
+
+Disabling public network access restricts direct access to the service. This enhances security but will require the configuration of a virtual network and/or private endpoints for any services or users needing access within trusted networks.
+
+## Audit Procedure
+
+### Using Azure Portal
+1. Go to `App Services` or `Function App`.
+2. Click the name of a function app.
+3. Under `Settings`, click `Networking`.
+4. Under `Inbound traffic configuration`, ensure that `Public network access` is set to `Disabled`.
+5. Repeat steps 1-4 for each function app.
+
+### Using Azure CLI
+Run the following command to list function apps:
+```bash
+az functionapp list
+```
+
+For each function app, run the following command to get the public network access setting:
+```bash
+az functionapp show --resource-group <resource-group-name> --name <function-app-name> --query "publicNetworkAccess"
+```
+
+Ensure the command returns `"Disabled"`.
+
+## Expected Result
+The `publicNetworkAccess` setting should return `"Disabled"`.
+
+## Remediation
+
+### Using Azure Portal
+1. Go to `App Services` or `Function App`.
+2. Click the name of a function app.
+3. Under `Settings`, click `Networking`.
+4. Under `Inbound traffic configuration`, click the text next to `Public network access`.
+5. Select the radio button next to `Disabled`.
+6. Click `Save`.
+7. Check the box to confirm the change.
+8. Click `Continue`.
+9. Repeat steps 1-8 for each function app requiring remediation.
+
+### Using Azure CLI
+For each function app requiring remediation, run the following command to disable public network access:
+```bash
+az resource update --resource-group <resource-group-name> --name <function-app-name> --resource-type "Microsoft.Web/sites" --set properties.publicNetworkAccess=Disabled
+```
+
+## Default Value
+By default, public network access is enabled.
+
+## References
+1. https://learn.microsoft.com/en-us/azure/app-service/networking-features
+2. https://learn.microsoft.com/en-us/cli/azure/functionapp
+3. https://learn.microsoft.com/en-us/cli/azure/resource
+
+## Profile
+Level 1 | Automated

package/skill/CIS_benchmarks/Azure/CIS_Microsoft_Azure_Compute_Services_Benchmark_v2.0.0/cis-azure-compute-2.3.14/SKILL.md

@@ -0,0 +1,137 @@
+---
+name: cis-azure-compute-2.3.14
+description: "Ensure function app is integrated with a virtual network"
+category: cis-azure-compute
+version: "2.0.0"
+author: cyberstrike-official
+tags: [cis, azure, function-apps, vnet-integration, network-security, virtual-network]
+cis_id: "2.3.14"
+cis_benchmark: "CIS Microsoft Azure Compute Services Benchmark v2.0.0"
+tech_stack: [azure]
+cwe_ids: []
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure function app is integrated with a virtual network
+
+## Description
+Integrate function apps with a virtual network to enable access to resources in or through a non-internet-routable virtual network.
+
+This recommendation does not apply to function apps created on the consumption hosting plan, which does not support virtual networking.
+
+## Rationale
+Integrate function apps with a virtual network for increased security and control.
+
+## Impact
+Additional configuration may be required to ensure that traffic is routed properly.
+
+## Audit Procedure
+
+### Using Azure Portal
+1. Go to `App Services` or `Function App`.
+2. Click the name of a function app.
+3. Under `Settings`, click `Networking`.
+4. Under `Outbound traffic configuration`, next to `Virtual network integration`, ensure that a virtual network and subnet name are displayed.
+5. Repeat steps 1-4 for each function app.
+
+### Using Azure CLI
+Run the following command to list function apps:
+```bash
+az functionapp list
+```
+
+For each function app, run the following command to get the virtual network subnet ID:
+```bash
+az functionapp show --resource-group <resource-group-name> --name <function-app-name> --query "virtualNetworkSubnetId"
+```
+
+Ensure that a virtual network subnet ID is returned.
+
+### Using Azure PowerShell
+Run the following command to list function apps:
+```powershell
+Get-AzFunctionApp
+```
+
+Run the following command to get the function app in a resource group with a given name:
+```powershell
+$app = Get-AzFunctionApp -ResourceGroupName <resource-group-name> -Name <function-app-name>
+```
+
+Run the following command to get the virtual network subnet ID:
+```powershell
+$app.virtualNetworkSubnetId
+```
+
+Ensure that a virtual network subnet ID is returned. Repeat for each function app.
+
+## Expected Result
+A virtual network subnet ID should be returned (not null or empty).
+
+## Remediation
+
+### Using Azure Portal
+1. Go to `App Services` or `Function App`.
+2. Click the name of a function app.
+3. Under `Settings`, click `Networking`.
+4. Under `Outbound traffic configuration`, next to `Virtual network integration`, click `Not configured`.
+5. Click `Add virtual network integration`.
+6. Select an existing App Service Plan connection, or select `New connection` and select a subscription, virtual network, and subnet.
+7. Click `Connect`.
+8. Repeat steps 1-7 for each function app requiring remediation.
+
+### Using Azure CLI
+For each function app requiring remediation, run the following command to integrate with a virtual network:
+```bash
+az functionapp vnet-integration add --resource-group <resource-group-name> --name <function-app-name> --vnet <virtual-network-name> --subnet <subnet-name>
+```
+
+### Using Azure PowerShell
+For each function app requiring remediation, run the following commands to integrate with a virtual network:
+
+Prepare parameters:
+```powershell
+$siteName = '<app-name>'
+$vNetResourceGroupName = '<virtual-network-resource-group-name>'
+$functionAppResourceGroupName = '<function-app-resource-group-name>'
+$vNetName = '<virtual-network-name>'
+$integrationSubnetName = '<subnet-name>'
+$vNetSubscriptionId = '<subscription-guid>'
+```
+
+Check if the subnet is delegated to `Microsoft.Web/serverFarms`:
+```powershell
+$vnet = Get-AzVirtualNetwork -Name $vNetName -ResourceGroupName $vNetResourceGroupName
+$subnet = Get-AzVirtualNetworkSubnetConfig -Name $integrationSubnetName -VirtualNetwork $vnet
+Get-AzDelegation -Subnet $subnet
+```
+
+Add delegation:
+```powershell
+$subnet = Add-AzDelegation -Name "myDelegation" -ServiceName "Microsoft.Web/serverFarms" -Subnet $subnet
+Set-AzVirtualNetwork -VirtualNetwork $vnet
+```
+
+Configure virtual network integration:
+```powershell
+$subnetResourceId = "/subscriptions/$vNetSubscriptionId/resourceGroups/$vNetResourceGroupName/providers/Microsoft.Network/virtualNetworks/$vNetName/subnets/$integrationSubnetName"
+$functionApp = Get-AzResource -ResourceType Microsoft.Web/sites -ResourceGroupName $functionAppResourceGroupName -ResourceName $siteName
+$functionApp.Properties.virtualNetworkSubnetId = $subnetResourceId
+$functionApp.Properties.vnetRouteAllEnabled = 'true'
+$functionApp | Set-AzResource -Force
+```
+
+## Default Value
+By default, virtual network integration is not configured.
+
+## References
+1. https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options
+2. https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration
+3. https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-enable
+4. https://learn.microsoft.com/en-us/cli/azure/functionapp
+5. https://learn.microsoft.com/en-us/powershell/module/az.functions/get-azfunctionapp
+
+## Profile
+Level 1 | Automated

package/skill/CIS_benchmarks/Azure/CIS_Microsoft_Azure_Compute_Services_Benchmark_v2.0.0/cis-azure-compute-2.3.15/SKILL.md

@@ -0,0 +1,75 @@
+---
+name: cis-azure-compute-2.3.15
+description: "Ensure configuration is routed through the virtual network integration"
+category: cis-azure-compute
+version: "2.0.0"
+author: cyberstrike-official
+tags: [cis, azure, function-apps, vnet-routing, configuration-routing, network-security]
+cis_id: "2.3.15"
+cis_benchmark: "CIS Microsoft Azure Compute Services Benchmark v2.0.0"
+tech_stack: [azure]
+cwe_ids: []
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure configuration is routed through the virtual network integration
+
+## Description
+By default, configuration traffic for function apps goes directly over the public route. Container image pulls and content sharing can be routed through the virtual network integration.
+
+This recommendation should be applied after integrating a function app with a virtual network.
+
+## Rationale
+Route container image pulls and content sharing through a virtual network integration for increased security and control.
+
+## Impact
+Additional configuration may be required to ensure that traffic is routed properly.
+
+## Audit Procedure
+
+### Using Azure CLI
+Run the following command to list function apps:
+```bash
+az functionapp list
+```
+
+For each function app, run the following command to get the container image share and content share settings:
+```bash
+az functionapp show --resource-group <resource-group-name> --name <function-app-name> --query "[vnetImagePullEnabled,vnetContentShareEnabled]"
+```
+
+Ensure that `[true,true]` is returned.
+
+### Using Azure Portal
+There is no specific Azure Portal audit procedure documented for this control. Use the Azure CLI method.
+
+## Expected Result
+Both `vnetImagePullEnabled` and `vnetContentShareEnabled` should return `true` (`[true,true]`).
+
+## Remediation
+
+### Using Azure CLI
+For each function app requiring remediation, run the following command to route container image pulls and content sharing through the virtual network integration:
+```bash
+az resource update --resource-group <resource-group-name> --name <function-app-name> --resource-type "Microsoft.Web/sites" --set properties.vnetImagePullEnabled=true --set properties.vnetContentShareEnabled=true
+```
+
+### Using Azure Portal
+There is no specific Azure Portal remediation procedure documented for this control. Use the Azure CLI method.
+
+## Additional Information
+In addition to configuring the routing for content sharing, you must also ensure that any firewall or Network Security Group configured on traffic from the subnet allow traffic to port 443 and 445.
+
+## Default Value
+By default, configuration traffic goes directly over the public route.
+
+## References
+1. https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration#routes
+2. https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-routing#configure-configuration-routing
+3. https://learn.microsoft.com/en-us/cli/azure/functionapp
+4. https://learn.microsoft.com/en-us/cli/azure/resource
+
+## Profile
+Level 2 | Automated

package/skill/CIS_benchmarks/Azure/CIS_Microsoft_Azure_Compute_Services_Benchmark_v2.0.0/cis-azure-compute-2.3.16/SKILL.md

@@ -0,0 +1,83 @@
+---
+name: cis-azure-compute-2.3.16
+description: "Ensure all traffic is routed through the virtual network"
+category: cis-azure-compute
+version: "2.0.0"
+author: cyberstrike-official
+tags: [cis, azure, function-apps, vnet-route-all, outbound-traffic, network-security]
+cis_id: "2.3.16"
+cis_benchmark: "CIS Microsoft Azure Compute Services Benchmark v2.0.0"
+tech_stack: [azure]
+cwe_ids: []
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure all traffic is routed through the virtual network
+
+## Description
+Enable `vnetRouteAllEnabled` to ensure all outbound traffic is routed through the integrated virtual network.
+
+This recommendation should be applied after integrating a function app with a virtual network.
+
+## Rationale
+Routing all outbound traffic through the virtual network enhances security.
+
+## Impact
+Additional configuration may be required to ensure that traffic is routed properly.
+
+## Audit Procedure
+
+### Using Azure Portal
+1. Go to `App Services` or `Function App`.
+2. Click the name of a function app.
+3. Under `Settings`, click `Networking`.
+4. Under `Outbound traffic configuration`, next to `Virtual network integration`, click the virtual network and subnet name.
+5. Under `Application routing`, ensure that the box next to `Outbound internet traffic` is checked.
+6. Repeat steps 1-5 for each function app.
+
+### Using Azure CLI
+Run the following command to list function apps:
+```bash
+az functionapp list
+```
+
+For each function app, run the following command to get the virtual network traffic routing setting:
+```bash
+az functionapp show --resource-group <resource-group-name> --name <app-name> --query vnetRouteAllEnabled
+```
+
+Ensure that `true` is returned.
+
+## Expected Result
+The `vnetRouteAllEnabled` setting should return `true`.
+
+## Remediation
+
+### Using Azure Portal
+1. Go to `App Services` or `Function App`.
+2. Click the name of a function app.
+3. Under `Settings`, click `Networking`.
+4. Under `Outbound traffic configuration`, next to `Virtual network integration`, click the virtual network and subnet name.
+5. Under `Application routing`, check the box next to `Outbound internet traffic`.
+6. Click `Apply`.
+7. Repeat steps 1-6 for each function app requiring remediation.
+
+### Using Azure CLI
+For each function app requiring remediation, run the following command to route all traffic through the virtual network:
+```bash
+az resource update --resource-group <resource-group-name> --name <function-app-name> --resource-type "Microsoft.Web/sites" --set properties.vnetRouteAllEnabled=true
+```
+
+## Default Value
+For function apps integrated with a virtual network, all traffic is routed through the virtual network by default.
+
+## References
+1. https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-routing#configure-application-routing
+2. https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings#vnetrouteallenabled
+3. https://learn.microsoft.com/en-us/cli/azure/functionapp
+4. https://learn.microsoft.com/en-us/cli/azure/resource
+
+## Profile
+Level 1 | Automated

package/skill/CIS_benchmarks/Azure/CIS_Microsoft_Azure_Compute_Services_Benchmark_v2.0.0/cis-azure-compute-2.3.17/SKILL.md

@@ -0,0 +1,88 @@
+---
+name: cis-azure-compute-2.3.17
+description: "Ensure cross-origin resource sharing does not allow all origins"
+category: cis-azure-compute
+version: "2.0.0"
+author: cyberstrike-official
+tags: [cis, azure, function-apps, cors, cross-origin, web-security, csrf]
+cis_id: "2.3.17"
+cis_benchmark: "CIS Microsoft Azure Compute Services Benchmark v2.0.0"
+tech_stack: [azure]
+cwe_ids: []
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure cross-origin resource sharing does not allow all origins
+
+## Description
+Cross-origin resource sharing (CORS) is a security feature that controls how applications interact with resources hosted on different domains.
+
+## Rationale
+Restrict CORS to only trusted origins to help enforce proper access control and reduce exposure to malicious cross-origin requests.
+
+## Impact
+Configuration is required to ensure that the appropriate origins have access.
+
+Setting up a proper CORS policy can be fairly complex and an incorrect setting could permit Cross-Site Request Forgery (CSRF). The "caveat" is that if the app being deployed is a PUBLIC API, a wildcard "*" CORS policy is absolutely necessary.
+
+## Audit Procedure
+
+### Using Azure Portal
+1. Go to `App Service` or `Function App`.
+2. Click the name of a function app.
+3. Under `API`, click `CORS`.
+4. Ensure `Allowed Origins` does not include `*`.
+5. Repeat steps 1-4 for each function app.
+
+### Using Azure CLI
+Run the following command to list function apps:
+```bash
+az functionapp list
+```
+
+For each function app, run the following command to get the CORS allowed origins setting:
+```bash
+az functionapp show --resource-group <resource-group-name> --name <function-app-name> --query siteConfig.cors.allowedOrigins
+```
+
+Ensure that the response does not include `*`.
+
+## Expected Result
+The CORS allowed origins should not include a wildcard `*` entry.
+
+## Remediation
+
+### Using Azure Portal
+1. Go to `App Service` or `Function App`.
+2. Click the name of a function app.
+3. Under `API`, click `CORS`.
+4. Under `Allowed Origins`, delete the entry that equals `*`.
+5. Specify the origins that should be allowed to make cross-origin calls.
+6. Click `Save`.
+7. Repeat steps 1-6 for each function app requiring remediation.
+
+### Using Azure CLI
+For each function app requiring remediation, run the following command to remove the wildcard origin:
+```bash
+az functionapp cors remove --resource-group <resource-group-name> --name <function-app-name> --allowed-origins "*"
+```
+
+Use the following command to specify the origins that should be allowed:
+```bash
+az functionapp cors add --resource-group <resource-group-name> --name <function-app-name> --allowed-origins <allowed-origins>
+```
+
+## Default Value
+By default, `Allowed Origins` is set to `https://portal.azure.com`.
+
+## References
+1. https://learn.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-rest-api
+2. https://learn.microsoft.com/en-us/cli/azure/functionapp/cors
+3. https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
+4. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS
+5. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
+
+## Profile
+Level 2 | Automated