prowler-cloud 5.13.1__py3-none-any.whl → 5.14.1__py3-none-any.whl

prowler/compliance/m365/prowler_threatscore_m365.json

@@ -1024,7 +1024,7 @@
       "Attributes": [
         {
           "Title": "AuditDisabled organizationally is set to False",
-          "Section": "3. Logging and monitoring",
+          "Section": "3. Logging and Monitoring",
           "SubSection": "3.1 Logging",
           "AttributeDescription": "The setting “Mailbox auditing on by default” determines whether mailbox auditing is automatically enabled across all mailboxes in the organization, regardless of their individual auditing configuration. When this setting is configured as False, it enables auditing at the organization level, overriding the AuditEnabled property for individual mailboxes—even if it is explicitly set to False. With this setting enabled, default audit actions are automatically recorded for all mailboxes without requiring manual configuration. Conversely, disabling this setting (True) effectively turns off mailbox auditing across the organization and overrides any mailbox-level auditing settings. The consequences of disabling this setting include: • Mailbox auditing is completely disabled organization-wide. • No mailbox actions are logged, even if AuditEnabled is set to True for individual mailboxes. • New mailboxes do not inherit auditing, and setting AuditEnabled=True has no effect. • Bypass audit rules set via Set-MailboxAuditBypassAssociation are ignored. • Existing audit records remain in place until they expire based on the audit log retention policy. The recommended configuration is to set this value to False at the organization level to ensure auditing is enforced consistently.",
           "AdditionalInformation": "Enforcing mailbox auditing by default ensures that audit logging cannot be unintentionally or maliciously disabled on individual mailboxes. This setting provides vital visibility for forensic investigations and incident response (IR) teams, allowing them to trace suspicious or malicious activity—such as unauthorized inbox access, message deletion, or rule manipulation—that may signal account compromise. Consistent auditing across all mailboxes is critical for detecting threat actor behaviors (TTPs) and correlating events across users. While organizations without Microsoft 365 E5 licenses are limited to 90 days of audit log retention, enabling this setting still significantly improves detection and accountability within that window.",
@@ -1042,7 +1042,7 @@
       "Attributes": [
         {
           "Title": "Mailbox auditing for E3 users is Enabled",
-          "Section": "3. Logging and monitoring",
+          "Section": "3. Logging and Monitoring",
           "SubSection": "3.1 Logging",
           "AttributeDescription": "As of January 2019, Microsoft enables mailbox audit logging by default across all organizations. This feature ensures that specific actions performed by mailbox owners, delegates, and administrators are automatically captured and recorded. These audit records can then be searched by administrators through the mailbox audit log in Microsoft 365. Each mailbox type—whether user, shared, resource, or public folder—can have tailored audit settings to track activities that are most relevant to the organization. While audit logging is enabled by default at the organizational level, it is important to explicitly configure the AuditEnabled property to True on all user mailboxes, and to expand the list of audited actions beyond the Microsoft defaults to meet specific visibility or compliance needs. Note: This recommendation is particularly relevant to users with Microsoft 365 E3 licenses, where audit actions differ slightly from the default configurations in E5.",
           "AdditionalInformation": "Mailbox auditing plays a critical role in supporting both regulatory compliance and security monitoring. Whether investigating unauthorized configuration changes, potential account compromise, or insider threats, detailed mailbox audit logs provide essential evidence for security operations, forensic analysis, and general administrative oversight. While mailbox auditing is enabled by default for most user mailboxes, certain mailbox types—such as Resource Mailboxes, Public Folder Mailboxes, and the DiscoverySearch Mailbox—do not inherit the organizational auditing default. For these mailboxes, AuditEnabled must be manually set to True to ensure relevant activities are captured. Note: Organizations without Microsoft 365 E5 licenses are subject to a 90-day audit log retention limit, but enabling comprehensive mailbox auditing remains a best practice for operational readiness and incident response.",
@@ -1060,7 +1060,7 @@
       "Attributes": [
         {
           "Title": "Mailbox auditing for E5 users is Enabled",
-          "Section": "3. Logging and monitoring",
+          "Section": "3. Logging and Monitoring",
           "SubSection": "3.1 Logging",
           "AttributeDescription": "Since January 2019, mailbox audit logging has been enabled by default in all Microsoft 365 organizations. This feature ensures that specific actions performed by mailbox owners, delegates, and administrators are automatically captured and stored as audit records. These logs are accessible to administrators through the Microsoft 365 mailbox audit log, enabling visibility into key mailbox-level activity. Although logging is enabled by default, each mailbox—particularly user and shared mailboxes—can have custom audit actions assigned to capture the specific types of events deemed valuable by the organization. For environments with Microsoft 365 E5 licenses or the advanced auditing add-on, it is recommended to explicitly set AuditEnabled to True on all user mailboxes and to configure additional audit actions beyond Microsoft’s default settings for enhanced visibility. Note: This recommendation specifically applies to E5 or equivalent auditing-enabled license holders, as the available audit depth and event coverage differ from E3.",
           "AdditionalInformation": "Mailbox audit logging is essential for supporting security investigations, regulatory compliance, and operational forensics in Microsoft 365. Whether you’re tracking unauthorized changes, detecting suspicious access, or conducting post-incident analysis, having a complete and accurate mailbox audit trail is critical. While audit logging is broadly applied by default, certain mailbox types bypass the organizational setting and require manual configuration to enable auditing. These include: • Resource Mailboxes • Public Folder Mailboxes • DiscoverySearch Mailboxes For these mailbox types, the AuditEnabled property must be explicitly set to True to ensure that audit events are captured. Important: Without advanced auditing (included in E5 or via add-on), mailbox audit logs are retained for only 90 days, limiting the historical window for investigations. Nonetheless, enabling detailed auditing remains a key best practice for maintaining strong visibility and compliance readiness.",
@@ -1078,7 +1078,7 @@
       "Attributes": [
         {
           "Title": "AuditBypassEnabled is not enabled on mailboxes",
-          "Section": "3. Logging and monitoring",
+          "Section": "3. Logging and Monitoring",
           "SubSection": "3.1 Logging",
           "AttributeDescription": "The AuditBypassEnabled setting in Microsoft 365 allows specific user or computer accounts to bypass mailbox audit logging, meaning that any actions they perform on mailboxes will not be recorded in the audit logs. This includes actions such as reading, deleting, moving, or modifying messages.",
           "AdditionalInformation": "Allowing an account to bypass mailbox audit logging creates a blind spot in security monitoring. If the account is compromised, misused, or maliciously configured, it can access and interact with mailboxes without leaving any trace in the logs. This significantly undermines the organization’s ability to conduct forensic investigations, detect insider threats, or comply with audit requirements.",
@@ -1096,7 +1096,7 @@
       "Attributes": [
         {
           "Title": "Microsoft 365 audit log search is Enabled ",
-          "Section": "3. Logging and monitoring",
+          "Section": "3. Logging and Monitoring",
           "SubSection": "3.2 Retention",
           "AttributeDescription": "Audit log search in the Microsoft Purview compliance portal allows organizations to track and retain user and administrator activities across Microsoft 365 services. When enabled, audit events—such as sign-ins, file access, configuration changes, and other operational actions—are captured and stored for up to 90 days by default. While some organizations may choose to integrate auditing data with third-party Security Information and Event Management (SIEM) systems, audit log search in Microsoft Purview remains a critical native capability for centralized visibility and incident response. Although global administrators have the ability to disable audit log search, it is generally recommended to keep it enabled to maintain full visibility into user and system activity.",
           "AdditionalInformation": "Activating audit log search provides essential forensic and compliance value. It enables organizations to detect anomalous behavior, investigate potential security incidents, and demonstrate adherence to regulatory and legal requirements. In addition, it supports operational monitoring, internal audits, and proactive threat detection. By retaining and centralizing audit data within the Microsoft 365 ecosystem, security and compliance teams gain faster access to actionable insights, reducing response times and strengthening the organization’s overall security posture.",
@@ -1114,7 +1114,7 @@
       "Attributes": [
         {
           "Title": "Notifications for internal users sending malware is Enabled",
-          "Section": "3. Logging and monitoring",
+          "Section": "3. Logging and Monitoring",
           "SubSection": "3.3 Monitoring",
           "AttributeDescription": "Exchange Online Protection (EOP) is Microsoft’s cloud-based email filtering service designed to safeguard organizations against spam, malware, and other email-borne threats. It is included by default in all Microsoft 365 tenants with Exchange Online mailboxes. EOP provides customizable anti-malware policies that allow administrators to define protection settings and configure alerts for detected malicious activity.",
           "AdditionalInformation": "Enabling notifications for malware detections ensures that administrators are alerted when an internal user sends a message containing malware. Such incidents may signal a compromised user account or infected device, requiring immediate investigation to mitigate potential security breaches.",

prowler/compliance/{oci/cis_3.0_oci.json → oraclecloud/cis_3.0_oraclecloud.json}

@@ -2,7 +2,7 @@
   "Framework": "CIS",
   "Name": "CIS Oracle Cloud Infrastructure Foundations Benchmark v3.0.0",
   "Version": "3.0",
-  "Provider": "OCI",
+  "Provider": "OracleCloud",
   "Description": "The CIS Oracle Cloud Infrastructure Foundations Benchmark provides prescriptive guidance for configuring security options for Oracle Cloud Infrastructure with an emphasis on foundational, testable, and architecture agnostic settings.",
   "Requirements": [
     {

prowler/config/config.py

@@ -3,6 +3,7 @@ import pathlib
 from datetime import datetime, timezone
 from enum import Enum
 from os import getcwd
+from typing import Tuple
 
 import requests
 import yaml
@@ -10,11 +11,36 @@ from packaging import version
 
 from prowler.lib.logger import logger
 
-timestamp = datetime.today()
-timestamp_utc = datetime.now(timezone.utc).replace(tzinfo=timezone.utc)
-prowler_version = "5.13.1"
+
+class _MutableTimestamp:
+    """Lightweight proxy to keep timestamp references in sync across modules."""
+
+    def __init__(self, value: datetime) -> None:
+        self.value = value
+
+    def set(self, value: datetime) -> None:
+        self.value = value
+
+    def __getattr__(self, name):
+        return getattr(self.value, name)
+
+    def __str__(self) -> str:  # pragma: no cover - trivial forwarder
+        return str(self.value)
+
+    def __repr__(self) -> str:  # pragma: no cover - trivial forwarder
+        return repr(self.value)
+
+    def __eq__(self, other) -> bool:
+        if isinstance(other, _MutableTimestamp):
+            return self.value == other.value
+        return self.value == other
+
+
+timestamp = _MutableTimestamp(datetime.today())
+timestamp_utc = _MutableTimestamp(datetime.now(timezone.utc))
+prowler_version = "5.14.1"
 html_logo_url = "https://github.com/prowler-cloud/prowler/"
-square_logo_img = "https://prowler.com/wp-content/uploads/logo-html.png"
+square_logo_img = "https://raw.githubusercontent.com/prowler-cloud/prowler/dc7d2d5aeb92fdf12e8604f42ef6472cd3e8e889/docs/img/prowler-logo-black.png"
 aws_logo = "https://user-images.githubusercontent.com/38561120/235953920-3e3fba08-0795-41dc-b480-9bea57db9f2e.png"
 azure_logo = "https://user-images.githubusercontent.com/38561120/235927375-b23e2e0f-8932-49ec-b59c-d89f61c8041d.png"
 gcp_logo = "https://user-images.githubusercontent.com/38561120/235928332-eb4accdc-c226-4391-8e97-6ca86a91cf50.png"
@@ -33,7 +59,7 @@ class Provider(str, Enum):
     IAC = "iac"
     NHN = "nhn"
     MONGODBATLAS = "mongodbatlas"
-    OCI = "oci"
+    ORACLECLOUD = "oraclecloud"
 
 
 # Compliance
@@ -84,6 +110,34 @@ encoding_format_utf_8 = "utf-8"
 available_output_formats = ["csv", "json-asff", "json-ocsf", "html"]
 
 
+def set_output_timestamp(
+    new_timestamp: datetime,
+) -> Tuple[datetime, datetime, str, str]:
+    """
+    Override the global output timestamps so generated artifacts reflect a specific scan.
+    Returns the previous values so callers can restore them afterwards.
+    """
+    global timestamp, timestamp_utc, output_file_timestamp, timestamp_iso
+
+    previous_values = (
+        timestamp.value,
+        timestamp_utc.value,
+        output_file_timestamp,
+        timestamp_iso,
+    )
+
+    timestamp.set(new_timestamp)
+    timestamp_utc.set(
+        new_timestamp.astimezone(timezone.utc)
+        if new_timestamp.tzinfo
+        else new_timestamp.replace(tzinfo=timezone.utc)
+    )
+    output_file_timestamp = timestamp.strftime("%Y%m%d%H%M%S")
+    timestamp_iso = timestamp.isoformat(sep=" ", timespec="seconds")
+
+    return previous_values
+
+
 def get_default_mute_file_path(provider: str):
     """
     get_default_mute_file_path returns the default mute file path for the provider

prowler/config/config.yaml

@@ -511,6 +511,9 @@ gcp:
   # gcp.iam_service_account_unused
   # gcp.iam_sa_user_managed_key_unused
   max_unused_account_days: 180
+  # GCP Storage Sufficient Retention Period
+  # gcp.cloudstorage_bucket_sufficient_retention_period
+  storage_min_retention_days: 90
 
 # Kubernetes Configuration
 kubernetes:

prowler/lib/check/check.py

@@ -518,16 +518,8 @@ def execute_checks(
                 )
                 try:
                     try:
-                        # Map CLI provider names to directory names (for cases where they differ)
-                        provider_directory_map = {
-                            "oci": "oraclecloud",  # oci SDK conflict avoidance
-                        }
-                        provider_directory = provider_directory_map.get(
-                            global_provider.type, global_provider.type
-                        )
-
                         # Import check module
-                        check_module_path = f"prowler.providers.{provider_directory}.services.{service}.{check_name}.{check_name}"
+                        check_module_path = f"prowler.providers.{global_provider.type}.services.{service}.{check_name}.{check_name}"
                         lib = import_check(check_module_path)
                         # Recover functions from check
                         check_to_execute = getattr(lib, check_name)

prowler/lib/check/checks_loader.py

@@ -1,3 +1,5 @@
+import sys
+
 from colorama import Fore, Style
 
 from prowler.lib.check.check import parse_checks_from_file
@@ -57,8 +59,24 @@ def load_checks_to_execute(
 
         # Handle if there are checks passed using -c/--checks
         if check_list:
+            # Validate that all checks exist
+            available_checks = set(bulk_checks_metadata.keys())
+            available_checks.update(check_aliases.keys())
+            invalid_checks = []
             for check_name in check_list:
-                checks_to_execute.add(check_name)
+                if check_name not in available_checks:
+                    invalid_checks.append(check_name)
+                else:
+                    checks_to_execute.add(check_name)
+
+            if invalid_checks:
+                logger.critical(
+                    f"Invalid check(s) specified: {', '.join(invalid_checks)}"
+                )
+                logger.critical(
+                    f"Please provide valid check names. Use 'prowler {provider} --list-checks' to see available checks."
+                )
+                sys.exit(1)
 
         # Handle if there are some severities passed using --severity
         elif severities:
@@ -66,6 +84,23 @@ def load_checks_to_execute(
                 checks_to_execute.update(check_severities[severity])
 
             if service_list:
+                # Validate that all services exist
+                available_services = set()
+                for metadata in bulk_checks_metadata.values():
+                    available_services.add(metadata.ServiceName)
+
+                invalid_services = [
+                    s for s in service_list if s not in available_services
+                ]
+                if invalid_services:
+                    logger.critical(
+                        f"Invalid service(s) specified: {', '.join(invalid_services)}"
+                    )
+                    logger.critical(
+                        f"Please provide valid service names. Use 'prowler {provider} --list-services' to see available services."
+                    )
+                    sys.exit(1)
+
                 checks_from_services = set()
                 for service in service_list:
                     service_checks = CheckMetadata.list(
@@ -81,6 +116,21 @@ def load_checks_to_execute(
 
         # Handle if there are services passed using -s/--services
         elif service_list:
+            # Validate that all services exist
+            available_services = set()
+            for metadata in bulk_checks_metadata.values():
+                available_services.add(metadata.ServiceName)
+
+            invalid_services = [s for s in service_list if s not in available_services]
+            if invalid_services:
+                logger.critical(
+                    f"Invalid service(s) specified: {', '.join(invalid_services)}"
+                )
+                logger.critical(
+                    f"Please provide valid service names. Use 'prowler {provider} --list-services' to see available services."
+                )
+                sys.exit(1)
+
             for service in service_list:
                 checks_to_execute.update(
                     CheckMetadata.list(
@@ -103,6 +153,20 @@ def load_checks_to_execute(
 
         # Handle if there are categories passed using --categories
         elif categories:
+            # Validate that all categories exist
+            available_categories = set(check_categories.keys())
+            invalid_categories = [
+                c for c in categories if c not in available_categories
+            ]
+            if invalid_categories:
+                logger.critical(
+                    f"Invalid category(ies) specified: {', '.join(invalid_categories)}"
+                )
+                logger.critical(
+                    f"Please provide valid category names. Use 'prowler {provider} --list-categories' to see available categories."
+                )
+                sys.exit(1)
+
             for category in categories:
                 checks_to_execute.update(check_categories[category])
 

prowler/lib/check/models.py

@@ -457,7 +457,8 @@ class Check(ABC, CheckMetadata):
         # Verify names consistency
         check_id = self.CheckID
         class_name = self.__class__.__name__
-        file_name = file_path.split(sep="/")[-1]
+        # os.path.basename handles Windows and POSIX paths reliably
+        file_name = os.path.basename(file_path)
 
         errors = []
         if check_id != class_name:
@@ -588,8 +589,17 @@ class Check_Report_GCP(Check_Report):
             or getattr(resource, "name", None)
             or ""
         )
+
+        # Prefer the explicit resource_name argument, otherwise look for a name attribute on the resource
+        resource_name_candidate = resource_name or getattr(resource, "name", None)
+        if not resource_name_candidate and isinstance(resource, dict):
+            # Some callers pass a dict, so fall back to the dict entry if available
+            resource_name_candidate = resource.get("name")
+        if isinstance(resource_name_candidate, str):
+            # Trim whitespace so empty strings collapse to the default
+            resource_name_candidate = resource_name_candidate.strip()
         self.resource_name = (
-            resource_name or getattr(resource, "name", "") or "GCP Project"
+            str(resource_name_candidate) if resource_name_candidate else "GCP Project"
         )
         self.project_id = project_id or getattr(resource, "project_id", "")
         self.location = (

prowler/lib/check/utils.py

@@ -46,14 +46,8 @@ def recover_checks_from_provider(
 
 # List all available modules in the selected provider and service
 def list_modules(provider: str, service: str):
-    # Map CLI provider names to directory names (for cases where they differ)
-    provider_directory_map = {
-        "oci": "oraclecloud",  # OCI SDK conflict avoidance
-    }
-    provider_directory = provider_directory_map.get(provider, provider)
-
     # This module path requires the full path including "prowler."
-    module_path = f"prowler.providers.{provider_directory}.services"
+    module_path = f"prowler.providers.{provider}.services"
     if service:
         module_path += f".{service}"
     return walk_packages(

prowler/lib/cli/parser.py

@@ -15,6 +15,7 @@ from prowler.lib.check.models import Severity
 from prowler.lib.outputs.common import Status
 from prowler.providers.common.arguments import (
     init_providers_parser,
+    validate_asff_usage,
     validate_provider_arguments,
 )
 
@@ -26,17 +27,17 @@ class ProwlerArgumentParser:
         self.parser = argparse.ArgumentParser(
             prog="prowler",
             formatter_class=RawTextHelpFormatter,
-            usage="prowler [-h] [--version] {aws,azure,gcp,kubernetes,m365,github,nhn,mongodbatlas,oci,dashboard,iac} ...",
+            usage="prowler [-h] [--version] {aws,azure,gcp,kubernetes,m365,github,nhn,mongodbatlas,oraclecloud,dashboard,iac} ...",
             epilog="""
 Available Cloud Providers:
-  {aws,azure,gcp,kubernetes,m365,github,iac,llm,nhn,mongodbatlas,oci}
+  {aws,azure,gcp,kubernetes,m365,github,iac,llm,nhn,mongodbatlas,oraclecloud}
     aws                 AWS Provider
     azure               Azure Provider
     gcp                 GCP Provider
     kubernetes          Kubernetes Provider
     m365                Microsoft 365 Provider
     github              GitHub Provider
-    oci                 Oracle Cloud Infrastructure Provider
+    oraclecloud         Oracle Cloud Infrastructure Provider
     iac                 IaC Provider (Beta)
     llm                 LLM Provider (Beta)
     nhn                 NHN Provider (Unofficial)
@@ -113,6 +114,9 @@ Detailed documentation at https://docs.prowler.com
             # Microsoft 365
             elif sys.argv[1] == "microsoft365":
                 sys.argv[1] = "m365"
+            # Oracle Cloud Infrastructure
+            elif sys.argv[1] == "oci":
+                sys.argv[1] = "oraclecloud"
 
         # Parse arguments
         args = self.parser.parse_args()
@@ -132,6 +136,12 @@ Detailed documentation at https://docs.prowler.com
         if not valid:
             self.parser.error(f"{args.provider}: {message}")
 
+        asff_is_valid, asff_error = validate_asff_usage(
+            args.provider, getattr(args, "output_formats", None)
+        )
+        if not asff_is_valid:
+            self.parser.error(asff_error)
+
         return args
 
     def __set_default_provider__(self, args: list) -> list:
@@ -301,7 +311,7 @@ Detailed documentation at https://docs.prowler.com
             "--checks-folder",
             "-x",
             nargs="?",
-            help="Specify external directory with custom checks (each check must have a folder with the required files, see more in https://docs.prowler.cloud/en/latest/tutorials/misc/#custom-checks).",
+            help="Specify external directory with custom checks (each check must have a folder with the required files, see more in https://docs.prowler.com/user-guide/cli/tutorials/misc#custom-checks-in-prowler).",
         )
 
     def __init_list_checks_parser__(self):
@@ -354,7 +364,7 @@ Detailed documentation at https://docs.prowler.com
             "--mutelist-file",
             "-w",
             nargs="?",
-            help="Path for mutelist YAML file. See example prowler/config/<provider>_mutelist.yaml for reference and format. For AWS provider, it also accepts AWS DynamoDB Table, Lambda ARNs or S3 URIs, see more in https://docs.prowler.cloud/en/latest/tutorials/mutelist/",
+            help="Path for mutelist YAML file. See example prowler/config/<provider>_mutelist.yaml for reference and format. For AWS provider, it also accepts AWS DynamoDB Table, Lambda ARNs or S3 URIs, see more in https://docs.prowler.com/user-guide/cli/tutorials/mutelist",
         )
 
     def __init_config_parser__(self):
@@ -381,7 +391,7 @@ Detailed documentation at https://docs.prowler.com
             "--custom-checks-metadata-file",
             nargs="?",
             default=None,
-            help="Path for the custom checks metadata YAML file. See example prowler/config/custom_checks_metadata_example.yaml for reference and format. See more in https://docs.prowler.cloud/en/latest/tutorials/custom-checks-metadata/",
+            help="Path for the custom checks metadata YAML file. See example prowler/config/custom_checks_metadata_example.yaml for reference and format. See more in https://docs.prowler.com/user-guide/cli/tutorials/custom-checks-metadata/",
         )
 
     def __init_third_party_integrations_parser__(self):
@@ -399,5 +409,5 @@ Detailed documentation at https://docs.prowler.com
         third_party_subparser.add_argument(
             "--slack",
             action="store_true",
-            help="Send a summary of the execution with a Slack APP in your channel. Environment variables SLACK_API_TOKEN and SLACK_CHANNEL_NAME are required (see more in https://docs.prowler.cloud/en/latest/tutorials/integrations/#slack).",
+            help="Send a summary of the execution with a Slack APP in your channel. Environment variables SLACK_API_TOKEN and SLACK_CHANNEL_NAME are required (see more in https://docs.prowler.com/user-guide/cli/tutorials/integrations#configuration-of-the-integration-with-slack/).",
         )

prowler/lib/mutelist/mutelist.py

@@ -153,8 +153,10 @@ class Mutelist(ABC):
         Check if the provided finding is muted for the audited account, check, region, resource and tags.
 
         The Mutelist works in a way that each field is ANDed, so if a check is muted for an account, region, resource and tags, it will be muted.
-        The exceptions are ORed, so if a check is excepted for an account, region, resource or tags, it will not be muted.
-        The only particularity is the tags, which are ORed.
+
+        Exceptions use AND logic across specified fields, with unspecified fields treated as wildcards (matching all values).
+
+        Tag matching uses AND logic when multiple tags are listed (all must match). OR logic is achieved using regex alternation (|) within a single tag pattern.
 
         So, for the following Mutelist:
         ```
@@ -167,11 +169,16 @@ class Mutelist(ABC):
                         Resources:
                             - 'i-123456789'
                         Tags:
-                            - 'Name=AdminInstance | Environment=Prod'
+                            - 'Name=AdminInstance|Environment=Prod'
                         Description: 'Field to describe why the findings associated with these values are muted'
         ```
         The check `ec2_instance_detailed_monitoring_enabled` will be muted for all accounts and regions and for the resource_id 'i-123456789' with at least one of the tags 'Name=AdminInstance' or 'Environment=Prod'.
 
+        Note: The pipe (|) in the tag pattern provides OR logic via regex alternation. To require BOTH tags, use two separate tag entries:
+        Tags:
+            - 'Name=AdminInstance'
+            - 'Environment=Prod'
+
         Args:
             mutelist (dict): Dictionary containing information about muted checks for different accounts.
             audited_account (str): The account being audited.
@@ -408,12 +415,13 @@ class Mutelist(ABC):
         Args:
             matched_items (list): List of items to be matched.
             finding_items (str): String to search for matched items.
-            tag (bool): If True the search will have a different logic due to the tags being ANDed or ORed:
-                - Check of AND logic -> True if all the tags are present in the finding.
-                - Check of OR logic -> True if any of the tags is present in the finding.
+            tag (bool): If True, uses AND logic across multiple tags in the list.
+                - Multiple tags: ALL tags in matched_items must be present in finding_items (AND logic).
+                - Single tag with regex alternation (|): Matches if pattern is found (enables OR within pattern).
+                - For non-tags: Uses OR logic - returns True if ANY item matches.
 
         Returns:
-            bool: True if any of the matched_items are present in finding_items, otherwise False.
+            bool: For tags - True if ALL patterns match. For non-tags - True if ANY pattern matches.
         """
         try:
             is_item_matched = False

prowler/lib/outputs/compliance/c5/c5_azure.py

@@ -0,0 +1,92 @@
+from prowler.config.config import timestamp
+from prowler.lib.check.compliance_models import Compliance
+from prowler.lib.outputs.compliance.c5.models import AzureC5Model
+from prowler.lib.outputs.compliance.compliance_output import ComplianceOutput
+from prowler.lib.outputs.finding import Finding
+
+
+class AzureC5(ComplianceOutput):
+    """
+    This class represents the Azure C5 compliance output.
+
+    Attributes:
+        - _data (list): A list to store transformed data from findings.
+        - _file_descriptor (TextIOWrapper): A file descriptor to write data to a file.
+
+    Methods:
+        - transform: Transforms findings into Azure C5 compliance format.
+    """
+
+    def transform(
+        self,
+        findings: list[Finding],
+        compliance: Compliance,
+        compliance_name: str,
+    ) -> None:
+        """
+        Transforms a list of findings into Azure C5 compliance format.
+
+        Parameters:
+            - findings (list): A list of findings.
+            - compliance (Compliance): A compliance model.
+            - compliance_name (str): The name of the compliance model.
+
+        Returns:
+            - None
+        """
+        for finding in findings:
+            # Get the compliance requirements for the finding
+            finding_requirements = finding.compliance.get(compliance_name, [])
+            for requirement in compliance.Requirements:
+                if requirement.Id in finding_requirements:
+                    for attribute in requirement.Attributes:
+                        compliance_row = AzureC5Model(
+                            Provider=finding.provider,
+                            Description=compliance.Description,
+                            SubscriptionId=finding.account_uid,
+                            Location=finding.region,
+                            AssessmentDate=str(timestamp),
+                            Requirements_Id=requirement.Id,
+                            Requirements_Description=requirement.Description,
+                            Requirements_Attributes_Section=attribute.Section,
+                            Requirements_Attributes_SubSection=attribute.SubSection,
+                            Requirements_Attributes_Type=attribute.Type,
+                            Requirements_Attributes_AboutCriteria=attribute.AboutCriteria,
+                            Requirements_Attributes_ComplementaryCriteria=attribute.ComplementaryCriteria,
+                            Status=finding.status,
+                            StatusExtended=finding.status_extended,
+                            ResourceId=finding.resource_uid,
+                            ResourceName=finding.resource_name,
+                            CheckId=finding.check_id,
+                            Muted=finding.muted,
+                            Framework=compliance.Framework,
+                            Name=compliance.Name,
+                        )
+                        self._data.append(compliance_row)
+        # Add manual requirements to the compliance output
+        for requirement in compliance.Requirements:
+            if not requirement.Checks:
+                for attribute in requirement.Attributes:
+                    compliance_row = AzureC5Model(
+                        Provider=compliance.Provider.lower(),
+                        Description=compliance.Description,
+                        SubscriptionId="",
+                        Location="",
+                        AssessmentDate=str(timestamp),
+                        Requirements_Id=requirement.Id,
+                        Requirements_Description=requirement.Description,
+                        Requirements_Attributes_Section=attribute.Section,
+                        Requirements_Attributes_SubSection=attribute.SubSection,
+                        Requirements_Attributes_Type=attribute.Type,
+                        Requirements_Attributes_AboutCriteria=attribute.AboutCriteria,
+                        Requirements_Attributes_ComplementaryCriteria=attribute.ComplementaryCriteria,
+                        Status="MANUAL",
+                        StatusExtended="Manual check",
+                        ResourceId="manual_check",
+                        ResourceName="Manual check",
+                        CheckId="manual",
+                        Muted=False,
+                        Framework=compliance.Framework,
+                        Name=compliance.Name,
+                    )
+                    self._data.append(compliance_row)