prowler 5.17.1__py3-none-any.whl → 5.18.0__py3-none-any.whl

prowler/providers/azure/services/network/network_flow_log_captured_sent/network_flow_log_captured_sent.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "network_flow_log_captured_sent",
-  "CheckTitle": "Ensure that network flow logs are captured and fed into a central log analytics workspace.",
+  "CheckTitle": "Network Watcher has flow logs enabled and sent to a Log Analytics workspace",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Network",
+  "ResourceType": "microsoft.network/networkwatchers",
   "ResourceGroup": "network",
-  "Description": "Ensure that network flow logs are captured and fed into a central log analytics workspace.",
-  "Risk": "Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation",
+  "Description": "**Azure Network Watcher** has **NSG flow logs** enabled and configured to forward traffic records to a centralized **Log Analytics workspace**",
+  "Risk": "Missing or disabled flow logging blinds visibility into network behavior, hindering detection of:\n- **Lateral movement** and internal scanning\n- **C2 beacons** and exfiltration patterns\nThis degrades incident response and correlation, impacting **confidentiality** and **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-tutorial",
+    "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az network watcher flow-log create --location <REGION> --name <FLOW_LOG_NAME> --resource-group <RESOURCE_GROUP> --nsg <NSG_NAME> --storage-account <STORAGE_ACCOUNT_NAME> --enabled true --workspace <LOG_ANALYTICS_WORKSPACE_ID>",
+      "NativeIaC": "```bicep\n// Enable NSG flow logs and send to Log Analytics\nresource flowLog 'Microsoft.Network/networkWatchers/flowLogs@2022-09-01' = {\n  name: '<example_resource_name>/<example_resource_name>'\n  location: '<REGION>'\n  properties: {\n    enabled: true // CRITICAL: turns on flow logs\n    targetResourceId: '<example_resource_id>' // NSG resource ID\n    storageId: '<example_resource_id>' // required for NSG flow logs\n    flowAnalyticsConfiguration: {\n      networkWatcherFlowAnalyticsConfiguration: {\n        enabled: true // CRITICAL: sends flow logs to Log Analytics\n        workspaceResourceId: '<example_resource_id>' // Log Analytics workspace resource ID\n      }\n    }\n  }\n}\n```",
+      "Other": "1. In Azure portal, go to Network Watcher > Flow logs\n2. Click + Create (or Create flow log)\n3. Select the target NSG and region\n4. Set Status to On\n5. Select a Storage account\n6. Enable Traffic analytics, then select your Log Analytics workspace\n7. Click Review + create, then Create",
+      "Terraform": "```hcl\n# Enable NSG flow logs and send to Log Analytics\nresource \"azurerm_network_watcher_flow_log\" \"<example_resource_name>\" {\n  network_watcher_name       = \"<example_resource_name>\"\n  resource_group_name        = \"<example_resource_name>\"\n  network_security_group_id  = \"<example_resource_id>\"\n  storage_account_id         = \"<example_resource_id>\"\n\n  enabled = true # CRITICAL: turns on flow logs\n\n  traffic_analytics {        \n    enabled                = true # CRITICAL: sends flow logs to Log Analytics\n    workspace_id           = \"<example_resource_id>\"      # workspace_id (GUID) or use data source\n    workspace_region       = \"<REGION>\"\n    workspace_resource_id  = \"<example_resource_id>\"      # Log Analytics workspace resource ID\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Navigate to Network Watcher. 2. Select NSG flow logs. 3. Select + Create. 4. Select the desired Subscription. 5. Select + Select NSG. 6. Select a network security group. 7. Click Confirm selection. 8. Select or create a new Storage Account. 9. Input the retention in days to retain the log. 10. Click Next. 11. Under Configuration, select Version 2. 12. If rich analytics are required, select Enable Traffic Analytics, a processing interval, and a Log Analytics Workspace. 13. Select Next. 14. Optionally add Tags. 15. Select Review + create. 16. Select Create. Warning The remediation policy creates remediation deployment and names them by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this will cause the remediation task to fail.",
-      "Url": "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal"
+      "Text": "Enable and centrally aggregate **NSG flow logs** to a **Log Analytics workspace**.\n\n- Enforce least privilege on log data\n- Define retention and secure storage\n- Use layered monitoring (e.g., Traffic Analytics)\n- Ensure coverage across regions/subscriptions and critical NSGs",
+      "Url": "https://hub.prowler.com/check/network_flow_log_captured_sent"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "The impact of configuring NSG Flow logs is primarily one of cost and configuration. If deployed, it will create storage accounts that hold minimal amounts of data on a 5-day lifecycle before feeding to Log Analytics Workspace. This will increase the amount of data stored and used by Azure Monitor."

prowler/providers/azure/services/network/network_flow_log_more_than_90_days/network_flow_log_more_than_90_days.metadata.json

@@ -1,30 +1,39 @@
 {
   "Provider": "azure",
   "CheckID": "network_flow_log_more_than_90_days",
-  "CheckTitle": "Ensure that Network Security Group Flow Log retention period is 0, 90 days or greater",
+  "CheckTitle": "Network Watcher has all flow logs enabled with retention set to 0 or at least 90 days",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Network",
+  "ResourceType": "microsoft.network/networkwatchers",
   "ResourceGroup": "network",
-  "Description": "Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.",
-  "Risk": "Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.",
-  "RelatedUrl": " https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview",
+  "Description": "**Azure Network Watcher** has **NSG flow logs** enabled and configured to retain for at least `90` days (or `0` for unlimited). The evaluation checks that flow logging is enabled and that the retention policy meets the required duration for each configured log.",
+  "Risk": "Absent or short-retained **NSG flow logs** reduce visibility into IP flows, delaying detection of port scans, brute force, data exfiltration, and lateral movement.\n\nForensics and accountability degrade, threatening **confidentiality** and **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/cli/azure/network/watcher/flow-log?view=azure-cli-latest",
+    "https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview?tabs=Americas",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Network/sufficient-nsg-flow-log-retention-period.html",
+    "https://support.icompaas.com/support/solutions/articles/62000229906-ensure-that-network-security-group-flow-log-retention-period-is-greater-than-90-days-"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az network watcher flow-log configure --nsg <NameorID of the Network Security Group> --enabled true --resource-group <resourceGroupName> --retention 91 -- storage-account <NameorID of the storage account to save flow logs>",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/sufficient-nsg-flow-log-retention-period.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-logging-policies/bc_azr_logging_1#terraform"
+      "CLI": "az network watcher flow-log create --location <LOCATION> --name <example_resource_name> --nsg <example_resource_id> --storage-account <example_resource_id> --retention 90",
+      "NativeIaC": "```bicep\n// Enable NSG flow logs with retention >= 90 days\nresource flowlog 'Microsoft.Network/networkWatchers/flowLogs@2023-09-01' = {\n  name: '<example_resource_name>/<example_resource_name>'\n  location: '<LOCATION>'\n  properties: {\n    targetResourceId: '<example_resource_id>'\n    storageId: '<example_resource_id>'\n    enabled: true           // critical: turns on flow logs\n    retentionPolicy: {\n      enabled: true         // critical: activates retention policy\n      days: 90              // critical: 0 (unlimited) or >= 90 to pass\n    }\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Network Watcher > NSG flow logs\n2. Select the NSG to configure\n3. Set Status to On\n4. Set Retention (days) to 0 (unlimited) or at least 90\n5. Select a Storage account\n6. Click Save",
+      "Terraform": "```hcl\n# Enable NSG flow logs with retention >= 90 days\nresource \"azurerm_network_watcher_flow_log\" \"<example_resource_name>\" {\n  name                 = \"<example_resource_name>\"\n  network_watcher_name = \"<example_resource_name>\"\n  resource_group_name  = \"<example_resource_name>\"\n  target_resource_id   = \"<example_resource_id>\"\n  storage_account_id   = \"<example_resource_id>\"\n\n  enabled = true  # critical: turns on flow logs\n\n  retention_policy {\n    enabled = true # critical: activates retention policy\n    days    = 90   # critical: 0 (unlimited) or >= 90 to pass\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "From Azure Portal 1. Go to Network Watcher 2. Select NSG flow logs blade in the Logs section 3. Select each Network Security Group from the list 4. Ensure Status is set to On 5. Ensure Retention (days) setting greater than 90 days 6. Select your storage account in the Storage account field 7. Select Save From Azure CLI Enable the NSG flow logs and set the Retention (days) to greater than or equal to 90 days. az network watcher flow-log configure --nsg <NameorID of the Network Security Group> --enabled true --resource-group <resourceGroupName> --retention 91 --storage-account <NameorID of the storage account to save flow logs>",
-      "Url": "https://docs.microsoft.com/en-us/cli/azure/network/watcher/flow-log?view=azure-cli-latest"
+      "Text": "Enable **NSG flow logs** and keep retention  `90` days (`0` for unlimited). Restrict and monitor access to logs, store immutably, and stream to a SIEM to detect anomalies. Apply **defense in depth** and **least privilege**. Plan migration to **Virtual network flow logs** as NSG flow logs are being retired.",
+      "Url": "https://hub.prowler.com/check/network_flow_log_more_than_90_days"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "This will keep IP traffic logs for longer than 90 days. As a level 2, first determine your need to retain data, then apply your selection here. As this is data stored for longer, your monthly storage costs will increase depending on your data use."

prowler/providers/azure/services/network/network_http_internet_access_restricted/network_http_internet_access_restricted.metadata.json

@@ -1,30 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "network_http_internet_access_restricted",
-  "CheckTitle": "Ensure that HTTP(S) access from the Internet is evaluated and restricted",
+  "CheckTitle": "Network security group restricts inbound HTTP (port 80) access from the Internet",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Network",
+  "ResourceType": "microsoft.network/networksecuritygroups",
   "ResourceGroup": "network",
-  "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.",
-  "Risk": "The potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries",
+  "Description": "**Azure NSG** are evaluated for inbound rules that allow public **HTTP** access on `TCP 80`, including cases where `80` is covered by a port range, from `0.0.0.0/0`, `Internet`, or `*`.",
+  "Risk": "Exposing `TCP 80` to the Internet increases attack surface:\n- Web recon and exploits compromise **integrity** and **availability**\n- Cleartext HTTP can leak credentials, cookies, and data, harming **confidentiality**\n- Public endpoints enable bot abuse and footholds for lateral movement",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-http-access.html",
+    "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-http-access.html",
-      "Terraform": ""
+      "CLI": "az network nsg rule update --resource-group <RESOURCE_GROUP> --nsg-name <NSG_NAME> --name <RULE_NAME> --access Deny",
+      "NativeIaC": "```bicep\n// Deny inbound HTTP from Internet on an existing NSG\nresource nsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource denyHttp 'Microsoft.Network/networkSecurityGroups/securityRules@2023-09-01' = {\n  name: '${nsg.name}/Deny-HTTP-Internet'\n  properties: {\n    priority: 100\n    direction: 'Inbound'\n    access: 'Deny'                 // CRITICAL: Denies the HTTP rule so it no longer allows Internet traffic\n    protocol: 'Tcp'\n    sourceAddressPrefix: 'Internet' // CRITICAL: Targets traffic coming from the Internet\n    destinationAddressPrefix: '*'\n    sourcePortRange: '*'\n    destinationPortRange: '80'      // CRITICAL: Blocks port 80 (HTTP)\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Network Security Groups and select your NSG\n2. Open Inbound security rules\n3. Find any rule with Action Allow, Protocol TCP or Any, Destination port 80 (or range including 80), and Source Internet/*/0.0.0.0/0\n4. Select the rule and click Edit\n5. Change Action to Deny (or delete the rule)\n6. Click Save",
+      "Terraform": "```hcl\n# Deny inbound HTTP from Internet on an existing NSG\nresource \"azurerm_network_security_rule\" \"deny_http_internet\" {\n  name                        = \"deny-http-internet\"\n  resource_group_name         = \"<example_resource_name>\"\n  network_security_group_name = \"<example_resource_name>\"\n  priority                    = 100\n  direction                   = \"Inbound\"\n  access                      = \"Deny\"           # CRITICAL: Deny so HTTP from Internet is not allowed\n  protocol                    = \"Tcp\"\n  source_address_prefix       = \"Internet\"       # CRITICAL: Matches traffic from the Internet\n  destination_address_prefix  = \"*\"\n  source_port_range           = \"*\"\n  destination_port_range      = \"80\"             # CRITICAL: Blocks port 80 (HTTP)\n}\n```"
     },
     "Recommendation": {
-      "Text": "Where HTTP(S) is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: ExpressRoute Site-to-site VPN Point-to-site VPN",
-      "Url": ""
+      "Text": "Apply **least privilege** at NSGs:\n- Remove broad allows to `TCP 80`, or restrict to trusted sources\n- Enforce **HTTPS (443)** and redirect or block HTTP\n- Use **private access** patterns and segmentation for **defense in depth**\n- If exposure is necessary, place services behind a **WAF**, enable **DDoS** protections, and monitor",
+      "Url": "https://hub.prowler.com/check/network_http_internet_access_restricted"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/network/network_public_ip_shodan/network_public_ip_shodan.metadata.json

@@ -1,27 +1,32 @@
 {
   "Provider": "azure",
   "CheckID": "network_public_ip_shodan",
-  "CheckTitle": "Check if an Azure Public IP is exposed in Shodan (requires Shodan API KEY).",
+  "CheckTitle": "Azure public IP address is not listed in Shodan",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Network",
+  "ResourceType": "microsoft.network/publicipaddresses",
   "ResourceGroup": "network",
-  "Description": "Check if an Azure Public IP is exposed in Shodan (requires Shodan API KEY).",
-  "Risk": "If an Azure Public IP is exposed in Shodan, it can be accessed by anyone on the internet. This can lead to unauthorized access to your resources.",
+  "Description": "**Azure Public IP addresses** are detected as **indexed by Shodan**, indicating Internet-visible services with open `ports` and service banner metadata.",
+  "Risk": "Shodan-visible IPs are easy to discover and target, elevating risks to **confidentiality** and **integrity**. Adversaries can enumerate banners, probe open ports, brute-force access, and exploit known CVEs, enabling unauthorized entry, data exfiltration, and lateral movement.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.shodan.io/",
+    "https://support.icompaas.com/support/solutions/articles/62000235334-ensure-any-public-addresses-are-listed-in-shodan-using-shodan-api-",
+    "https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-addresses"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az network public-ip delete --resource-group <RESOURCE_GROUP> --name <PUBLIC_IP_NAME>",
+      "NativeIaC": "```bicep\n// Remove public exposure by NOT associating a public IP\nresource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' existing = {\n  name: '<example_vnet_name>/<example_subnet_name>'\n}\n\nresource nic 'Microsoft.Network/networkInterfaces@2023-11-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  properties: {\n    ipConfigurations: [\n      {\n        name: 'ipconfig1'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: { id: subnet.id }\n          // CRITICAL: No 'publicIPAddress' property -> NIC has no public IP, preventing Shodan listing\n        }\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Public IP addresses and select the affected IP\n2. Click Dissociate and confirm to remove it from the attached resource\n3. Click Delete to remove the Public IP from your subscription",
+      "Terraform": "```hcl\n# NIC without a public IP association\nresource \"azurerm_network_interface\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  location            = \"<LOCATION>\"\n  resource_group_name = \"<RESOURCE_GROUP>\"\n\n  ip_configuration {\n    name                          = \"ipconfig1\"\n    subnet_id                     = \"<example_resource_id>\"\n    private_ip_address_allocation = \"Dynamic\"\n    # CRITICAL: Omit public_ip_address_id -> no public IP, preventing Shodan listing\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Check Identified IPs, Consider changing them to private ones and delete them from Shodan.",
-      "Url": "https://www.shodan.io/"
+      "Text": "Minimize **public exposure**: prefer **private endpoints** or VPN/bastion, restrict ingress per least privilege (avoid `0.0.0.0/0`), close unused ports, patch and harden services, and apply defense-in-depth segmentation. Continuously inventory public IPs and rotate them if sensitive banners were exposed.",
+      "Url": "https://hub.prowler.com/check/network_public_ip_shodan"
     }
   },
   "Categories": [

prowler/providers/azure/services/network/network_rdp_internet_access_restricted/network_rdp_internet_access_restricted.metadata.json

@@ -1,30 +1,38 @@
 {
   "Provider": "azure",
   "CheckID": "network_rdp_internet_access_restricted",
-  "CheckTitle": "Ensure that RDP access from the Internet is evaluated and restricted",
+  "CheckTitle": "Network security group does not allow inbound RDP (TCP 3389) from the Internet",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Network",
+  "ResourceType": "microsoft.network/networksecuritygroups",
   "ResourceGroup": "network",
-  "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.",
-  "Risk": "The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines",
+  "Description": "**Azure NSG inbound rules** are evaluated for **public RDP exposure**. The finding flags rules that `Allow` `TCP` traffic to `port 3389` from broad sources like `0.0.0.0/0`, `Internet`, or `*`, including ranges that cover `3389`.",
+  "Risk": "Exposed **RDP** enables Internet-wide **brute force** and **credential stuffing**, risking unauthorized console access.\n\nCompromise can cause data theft (**confidentiality**), tampering or malware deployment (**integrity**), VM lockout or disruption (**availability**), and **lateral movement** within the VNet.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Network/unrestricted-rdp-access.html",
+    "https://learn.microsoft.com/en-za/answers/questions/1374791/policy-to-block-the-creation-of-nsgs-with-rules-th",
+    "https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#disable-rdpssh-access-to-azure-virtual-machines",
+    "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-rdp-access.html#",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/bc_azr_networking_2#terraform"
+      "CLI": "az network nsg rule delete --resource-group <RESOURCE_GROUP> --nsg-name <example_resource_name> --name <RDP_RULE_NAME>",
+      "NativeIaC": "```bicep\n// NSG with RDP allowed only from a restricted CIDR (not Internet)\nresource nsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {\n  name: '<example_resource_name>'\n  location: '<region>'\n  properties: {\n    securityRules: [\n      {\n        name: 'Allow-RDP-Restricted'\n        properties: {\n          priority: 100\n          direction: 'Inbound'\n          access: 'Allow'\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          destinationPortRange: '3389'\n          destinationAddressPrefix: '*'\n          sourceAddressPrefix: '<AUTHORIZED_CIDR>' // CRITICAL: restrict source; not \"Internet\", \"*\", or \"0.0.0.0/0\" to pass the check\n        }\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Network Security Groups and open the NSG attached to the resource\n2. Select Inbound security rules\n3. Find any rule that allows TCP 3389 with Source set to Any/Internet/*/0.0.0.0/0\n4. Delete the rule, or edit it and set Source to a specific IP/CIDR (e.g., <AUTHORIZED_CIDR>)\n5. Save",
+      "Terraform": "```hcl\n# NSG with RDP allowed only from a restricted CIDR (not Internet)\nresource \"azurerm_network_security_group\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  location            = \"<region>\"\n  resource_group_name = \"<example_resource_name>\"\n\n  security_rule {\n    name                       = \"Allow-RDP-Restricted\"\n    priority                   = 100\n    direction                  = \"Inbound\"\n    access                     = \"Allow\"\n    protocol                   = \"Tcp\"\n    source_port_range          = \"*\"\n    destination_port_range     = \"3389\"\n    destination_address_prefix = \"*\"\n    source_address_prefix      = \"<AUTHORIZED_CIDR>\" # CRITICAL: restrict source; not \"*\", \"Internet\", or \"0.0.0.0/0\" so the check passes\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Where RDP is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: ExpressRoute Site-to-site VPN Point-to-site VPN",
-      "Url": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries"
+      "Text": "Enforce **least privilege** for remote admin:\n- Remove `Allow` to `3389` from `0.0.0.0/0`\n- Limit access to fixed IPs or private networks\n- Prefer Azure Bastion, JIT, or VPN/ExpressRoute\n- Harden auth (strong keys, MFA) and monitor\n\nAdopt **zero trust** and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/network_rdp_internet_access_restricted"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/network/network_ssh_internet_access_restricted/network_ssh_internet_access_restricted.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "network_ssh_internet_access_restricted",
-  "CheckTitle": "Ensure that SSH access from the Internet is evaluated and restricted",
+  "CheckTitle": "Network security group does not allow inbound SSH (TCP port 22) from the Internet",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Network",
+  "ResourceType": "microsoft.network/networksecuritygroups",
   "ResourceGroup": "network",
-  "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.",
-  "Risk": "The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines",
+  "Description": "**Azure NSG** inbound rules that allow **SSH** on `TCP 22` from `0.0.0.0/0`, `Internet`, or `*` are identified, including rules where port ranges include `22` and protocol is `TCP` or `*`.\n\nIndicates NSGs exposing SSH to the Internet.",
+  "Risk": "Public **SSH** access weakens **confidentiality** and **integrity**. Open `22` invites brute force and key theft, enabling remote shell control, persistence, and **lateral movement**. Attackers can pivot into VNets, exfiltrate data, deploy crypto-miners, and impact **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Network/unrestricted-ssh-access.html",
+    "https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#disable-rdpssh-access-to-azure-virtual-machines",
+    "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-ssh-access.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/bc_azr_networking_3#terraform"
+      "CLI": "az network nsg rule delete --resource-group <RESOURCE_GROUP> --nsg-name <NSG_NAME> --name <RULE_NAME>",
+      "NativeIaC": "```bicep\n// NSG allowing SSH only from a specific source (not the Internet)\nresource <example_resource_name> 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {\n  name: '<example_resource_name>'\n  location: '<location>'\n  properties: {\n    securityRules: [\n      {\n        name: '<example_rule_name>'\n        properties: {\n          priority: 100\n          direction: 'Inbound'\n          access: 'Allow'\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          destinationPortRange: '22'\n          sourceAddressPrefix: '<ALLOWED_CIDR>' // CRITICAL: restrict SSH source; not Internet/*/0.0.0.0/0\n          destinationAddressPrefix: '*'\n        }\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Network security groups and open <NSG_NAME>\n2. Select Inbound security rules\n3. Find any rule that allows TCP 22 from Internet/Any/0.0.0.0/0\n4. Delete the rule, or Edit it and set Source to IP Addresses with only your allowed CIDR(s)\n5. Save",
+      "Terraform": "```hcl\n# Restrict SSH to a specific source so port 22 is not open to the Internet\nresource \"azurerm_network_security_rule\" \"<example_resource_name>\" {\n  name                        = \"<example_rule_name>\"\n  resource_group_name         = \"<example_resource_name>\"\n  network_security_group_name = \"<example_resource_name>\"\n  priority                    = 100\n  direction                   = \"Inbound\"\n  access                      = \"Allow\"\n  protocol                    = \"Tcp\"\n  source_port_range           = \"*\"\n  destination_port_range      = \"22\"\n  source_address_prefix       = \"<ALLOWED_CIDR>\" # CRITICAL: restrict SSH source; not Internet/*/0.0.0.0/0\n  destination_address_prefix  = \"*\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "Where SSH is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: ExpressRoute Site-to-site VPN Point-to-site VPN",
-      "Url": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries"
+      "Text": "Apply **least privilege** on SSH:\n- Remove public rules to `TCP 22` from `0.0.0.0/0`\n- Allowlist specific admin IPs or management subnets\n- Prefer **Azure Bastion**, **JIT access**, or **VPN/ExpressRoute** for admin\n- Use key-based auth, disable passwords, and remove unnecessary public IPs\n\nAdopt **defense in depth** with logging and periodic reviews.",
+      "Url": "https://hub.prowler.com/check/network_ssh_internet_access_restricted"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/network/network_udp_internet_access_restricted/network_udp_internet_access_restricted.metadata.json

@@ -1,30 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "network_udp_internet_access_restricted",
-  "CheckTitle": "Ensure that UDP access from the Internet is evaluated and restricted",
+  "CheckTitle": "Network security group does not allow inbound UDP from the Internet",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Network",
+  "ResourceType": "microsoft.network/networksecuritygroups",
   "ResourceGroup": "network",
-  "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.",
-  "Risk": "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification sources for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks",
+  "Description": "**Azure NSG rules** are assessed for **inbound UDP** exposure to the public Internet (e.g., `0.0.0.0/0`, `*`, `Internet`). The finding identifies allow rules that permit unsolicited **UDP** traffic from any external source to attached resources.",
+  "Risk": "Publicly reachable **UDP** services enable **DDoS reflection/amplification**, exhausting bandwidth and compute and degrading **availability** for workloads and networks. Open services (DNS, NTP, SSDP, SNMP, CLDAP) can be abused with spoofed traffic, turning endpoints into amplifiers and disrupting adjacent resources.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "http://learn.microsoft.com/en-us/azure/ddos-protection/fundamental-best-practices",
+    "https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-udp-access.html#"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-udp-access.html#",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/ensure-that-udp-services-are-restricted-from-the-internet#terraform"
+      "CLI": "az network nsg rule update --resource-group <RESOURCE_GROUP> --nsg-name <NSG_NAME> --name <RULE_NAME> --access Deny",
+      "NativeIaC": "```bicep\n// Update the existing NSG rule to block UDP from the Internet\nresource nsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource rule 'Microsoft.Network/networkSecurityGroups/securityRules@2023-09-01' = {\n  name: '${nsg.name}/<example_resource_name>'\n  properties: {\n    priority: 100\n    direction: 'Inbound'\n    access: 'Deny' // CRITICAL: Change access to Deny so UDP from Internet is not allowed\n    protocol: 'Udp'\n    sourceAddressPrefix: '*'\n    destinationAddressPrefix: '*'\n    sourcePortRange: '*'\n    destinationPortRange: '*'\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Network security groups and open the NSG attached to the resource\n2. Select Inbound security rules\n3. Find any rule with Protocol = UDP, Direction = Inbound, Action = Allow, and Source set to Any/Internet/0.0.0.0/0\n4. Click the rule, set Action to Deny (or change Source to a specific trusted range), then Save\n5. Repeat for any remaining UDP Allow rules from the Internet",
+      "Terraform": "```hcl\n# Modify the existing NSG rule to deny UDP from the Internet\nresource \"azurerm_network_security_rule\" \"<example_resource_name>\" {\n  name                        = \"<example_resource_name>\"  # existing rule name\n  resource_group_name         = \"<example_resource_name>\"\n  network_security_group_name = \"<example_resource_name>\"\n  priority                    = 100\n  direction                   = \"Inbound\"\n  access                      = \"Deny\" # CRITICAL: Change access to Deny to remove the Allow condition\n  protocol                    = \"Udp\"\n  source_address_prefix       = \"*\"\n  destination_address_prefix  = \"*\"\n  source_port_range           = \"*\"\n  destination_port_range      = \"*\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "Where UDP is not explicitly required and narrowly configured for resources attached tothe Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: ExpressRouteSite-to-site VPN Point-to-site VPN",
-      "Url": "https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices"
+      "Text": "Apply **least privilege** on NSG rules:\n- Deny Internet `UDP` inbound by default\n- Allow only required sources/ports\n- Prefer private access (VNets, private endpoints, VPN/ExpressRoute)\n- Use **defense in depth** with Azure Firewall and DDoS Protection\n- Monitor and disable or rate-limit unnecessary UDP services",
+      "Url": "https://hub.prowler.com/check/network_udp_internet_access_restricted"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled.metadata.json

@@ -1,30 +1,38 @@
 {
   "Provider": "azure",
   "CheckID": "network_watcher_enabled",
-  "CheckTitle": "Ensure that Network Watcher is 'Enabled' for all locations in the Azure subscription",
+  "CheckTitle": "Network Watcher is enabled for all locations in the subscription",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "Network",
+  "Severity": "high",
+  "ResourceType": "microsoft.network/networkwatchers",
   "ResourceGroup": "network",
-  "Description": "Enable Network Watcher for Azure subscriptions.",
-  "Risk": "Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview",
+  "Description": "**Azure Network Watcher** presence across the subscription's regions. The assessment checks that a Network Watcher instance exists in every subscription location where resources may be deployed.",
+  "Risk": "Absent **Network Watcher** in a region creates blind spots in **network telemetry and diagnostics**, hindering detection of anomalies. Attackers can exploit unnoticed NSG or routing issues for lateral movement or data exfiltration, degrading **confidentiality** and **availability** and slowing incident triage.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-logging-threat-detection#lt-3-enable-logging-for-azure-network-activities",
+    "https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-overview",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/enable-network-watcher.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/enable-network-watcher.html",
-      "Terraform": ""
+      "CLI": "az network watcher configure --resource-group NetworkWatcherRG --enabled true --locations <LOCATION_1> <LOCATION_2>",
+      "NativeIaC": "```bicep\n// Deploy this to the resource group named \"NetworkWatcherRG\"\nparam locations array\n\nresource watchers 'Microsoft.Network/networkWatchers@2023-09-01' = [for loc in locations: {\n  name: 'NetworkWatcher_${loc}'\n  location: loc // CRITICAL: creates a Network Watcher in the specified region\n}]\n```",
+      "Other": "1. In Azure Portal, search for \"Network Watcher\" and open it\n2. Select the target subscription\n3. In Overview, under Regions, for each region with Status = Disabled, click Enable\n4. Confirm all regions show Enabled",
+      "Terraform": "```hcl\nvariable \"locations\" {\n  type = list(string)\n}\n\nresource \"azurerm_network_watcher\" \"watchers\" {\n  for_each           = toset(var.locations)\n  name               = \"NetworkWatcher_${each.value}\"\n  location           = each.value       # CRITICAL: ensures a watcher exists in this region\n  resource_group_name = \"NetworkWatcherRG\" # CRITICAL: place in NetworkWatcherRG as expected by the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Opting out of Network Watcher automatic enablement is a permanent change. Once you opt-out you cannot opt-in without contacting support.",
-      "Url": "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-logging-threat-detection#lt-3-enable-logging-for-azure-network-activities"
+      "Text": "Enable **Network Watcher** in all regions and keep it enabled as your footprint expands.\n\nApply **defense in depth** by centralizing network logs and analytics, enforce coverage with policy, and restrict tool access by **least privilege**. Align retention and monitoring to support timely detection and investigation.",
+      "Url": "https://hub.prowler.com/check/network_watcher_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "There are additional costs per transaction to run and store network data. For high-volume networks these charges will add up quickly."

prowler/providers/azure/services/policy/policy_ensure_asc_enforcement_enabled/policy_ensure_asc_enforcement_enabled.metadata.json

@@ -1,27 +1,32 @@
 {
   "Provider": "azure",
   "CheckID": "policy_ensure_asc_enforcement_enabled",
-  "CheckTitle": "Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'",
+  "CheckTitle": "Security Center built-in policy assignment has enforcement mode set to Default",
   "CheckType": [],
   "ServiceName": "policy",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Microsoft.Authorization/policyAssignments",
+  "ResourceType": "microsoft.authorization/policyassignments",
   "ResourceGroup": "governance",
-  "Description": "None of the settings offered by ASC Default policy should be set to effect Disabled.",
-  "Risk": "A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is a set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Azure security center provides the ability to monitor all of the supported recommendations and optionally allow automated action for a few of the supported recommendations.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/security-policy-concept",
+  "Description": "**Defender for Cloud default policy assignment** (`SecurityCenterBuiltIn`) uses enforcement mode `Default` rather than `DoNotEnforce`",
+  "Risk": "With `DoNotEnforce`, policy effects like `deny` and `deployIfNotExists` aren't applied, letting insecure configs persist. This erodes **confidentiality** and **integrity** (exposed endpoints, weak encryption) and can affect **availability** via unpatched or misconfigured services, enabling compromise and lateral movement.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/policy-reference",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/implement-security-recommendations",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/security-policy-concept"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az policy assignment update --name SecurityCenterBuiltIn --scope /subscriptions/<SUBSCRIPTION_ID> --enforcement-mode Default",
+      "NativeIaC": "```bicep\n// Set enforcement mode to Default for the Security Center built-in assignment\n// Deploy at subscription scope\ntargetScope = 'subscription'\n\nresource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {\n  name: 'SecurityCenterBuiltIn'\n  properties: {\n    policyDefinitionId: '<POLICY_OR_INITIATIVE_DEFINITION_ID>'\n    enforcementMode: 'Default' // CRITICAL: Ensures the assignment enforces policy (fixes the finding)\n  }\n}\n```",
+      "Other": "1. In Azure portal, go to Policy > Assignments\n2. Find the assignment named \"SecurityCenterBuiltIn\" and select it\n3. Click Edit assignment\n4. Set Enforcement mode to Enabled (Default)\n5. Click Review + save to apply",
+      "Terraform": "```hcl\n# Set enforcement mode to Default for the Security Center built-in assignment\nresource \"azurerm_policy_assignment\" \"<example_resource_name>\" {\n  name                 = \"SecurityCenterBuiltIn\"\n  scope                = \"/subscriptions/<SUBSCRIPTION_ID>\"\n  policy_definition_id = \"<POLICY_OR_INITIATIVE_DEFINITION_ID>\"\n  enforcement_mode     = \"Default\" # CRITICAL: Enables enforcement to pass the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. From Azure Home select the Portal Menu 2. Select Policy 3. Select ASC Default for each subscription 4. Click on 'view Assignment' 5. Click on 'Edit assignment' 6. Ensure Policy Enforcement is Enabled 7. Click 'Review + Save'",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/implement-security-recommendations"
+      "Text": "Keep enforcement mode `Default` on the default initiative and avoid disabling critical effects. Apply at scale for consistent governance, align with **least privilege** and **defense in depth**, validate changes in `Audit` in non-prod, and manage justified exceptions via time-bound policy exemptions instead of turning enforcement off.",
+      "Url": "https://hub.prowler.com/check/policy_ensure_asc_enforcement_enabled"
     }
   },
   "Categories": [],