Skip to content

Rule catalog

ARGUS ships 245 Rego rules organised by zero-trust pillar. Each rule carries NIST 800-53, MITRE ATT&CK, and framework-tag metadata used for compliance mapping and reporting.

Use your browser's search (Ctrl/Cmd+F) or the search box above to find a specific rule ID or keyword.

Data (60 rules)

ID Title Severity Chain role
cis_2_1_23 Defender for Key Vault not enabled High ENABLER
cis_2_1_26 Defender for Azure Cosmos DB enabled Medium ENABLER
cis_2_1_27 Defender for open-source relational databases enabled Medium ENABLER
cis_2_1_28 Defender for Azure SQL Database enabled High ENABLER
cis_3_1 Ensure 'Secure transfer required' is enabled on storage accounts High ENABLER
cis_3_16 Storage account uses private endpoints High ENABLER
cis_3_2 Ensure infrastructure encryption is enabled on storage accounts Medium ENABLER
cis_3_3 Ensure public blob access is disabled on storage accounts Critical ANCHOR
cis_3_4 Ensure default network access rule is Deny on storage accounts High AMPLIFIER
cis_3_5 Ensure storage accounts use private endpoints Medium ENABLER
cis_3_6 Ensure soft delete is enabled for blob service Medium ENABLER
cis_3_7 Ensure soft delete is enabled for containers Medium ENABLER
cis_4_1 Ensure 'Auditing' is set to On for SQL servers High ENABLER
cis_4_2 Ensure Transparent Data Encryption is enabled on SQL databases High ENABLER
cis_4_3 Ensure SQL server Advanced Data Security is enabled Medium ENABLER
cis_4_4 Ensure public network access is disabled for SQL servers Critical ANCHOR
cis_4_5 Ensure 'Enforce SSL connection' is enabled for PostgreSQL High ENABLER
cis_4_7 SQL Database has long-term backup retention configured Medium AMPLIFIER
cis_7_8 Virtual Machine managed disks use customer-managed keys Medium AMPLIFIER
cis_7_9 Unattached disks are encrypted with customer-managed key Medium AMPLIFIER
cis_8_1 Ensure Key Vault has soft delete and purge protection enabled Critical ANCHOR
cis_8_2 Ensure Key Vault keys have rotation policies Medium ENABLER
cis_8_4 Ensure Key Vault uses private endpoints High AMPLIFIER
cis_8_5 Key Vault secrets have expiration date set Medium AMPLIFIER
cis_8_6 Key Vault keys have rotation policy configured Medium AMPLIFIER
cis_8_7 Key Vault uses private endpoint High ENABLER
zt_ai_003 Cognitive Services account lacks customer-managed key encryption Medium ENABLER
zt_ai_005 Azure ML Workspace uses the default Microsoft-managed key High ENABLER
zt_bak_001 Recovery Services Vault lacks immutability protection High ENABLER
zt_bak_002 Recovery Services Vault has soft delete disabled High ENABLER
zt_bak_003 Recovery Services Vault has no cross-region restore Medium ENABLER
zt_bak_004 Recovery Services backup policy has retention below 7 days Medium ENABLER
zt_data_001 Storage account allows public blob access Critical ANCHOR
zt_data_002 SQL Server Transparent Data Encryption (TDE) disabled High ENABLER
zt_data_003 SQL Server auditing not enabled High ENABLER
zt_data_004 Key Vault soft delete disabled Critical ENABLER
zt_data_005 Key Vault purge protection disabled Critical ENABLER
zt_data_006 Storage account encryption-at-rest key source not configured High ENABLER
zt_data_007 SQL Server firewall allows all Azure services High AMPLIFIER
zt_data_008 VM has no backup protection Medium ENABLER
zt_data_009 Key Vault lacks diagnostic settings for secret lifecycle visibility Medium ENABLER
zt_data_010 Storage account not using customer-managed keys (BYOK) Medium ENABLER
zt_data_011 Cosmos DB account allows access from all networks High ANCHOR
zt_data_012 SQL Server auditing not enabled High ENABLER
zt_data_013 Storage account soft delete not enabled for blobs Medium AMPLIFIER
zt_data_014 Key Vault does not have purge protection enabled High ENABLER
zt_data_015 SQL Database TDE uses service-managed key instead of customer-managed Medium AMPLIFIER
zt_data_016 Storage account blob versioning not enabled Low AMPLIFIER
zt_data_017 Critical resources have no Azure Backup configured High ENABLER
zt_data_018 Event Hub namespace does not use customer-managed key encryption Medium AMPLIFIER
zt_data_019 Service Bus namespace allows public network access High ANCHOR
zt_data_020 Cognitive Services account allows public network access High ANCHOR
zt_data_021 Azure Data Factory is internet-accessible for integration runtime control plane High ANCHOR
zt_data_023 Synapse workspace allows public SQL endpoint access High ANCHOR
zt_data_024 Redis Cache uses TLS < 1.2 or allows non-SSL port Medium AMPLIFIER
zt_data_025 Stream Analytics job lacks customer-managed key encryption High ENABLER
zt_data_027 Microsoft Purview account allows public network access Medium ANCHOR
zt_data_028 Synapse Dedicated SQL Pool has no Transparent Data Encryption High ENABLER
zt_data_030 NetApp volume permits NFS v3 (no Kerberos) from mount endpoints Medium AMPLIFIER
zt_data_031 Storage Data Lake Gen2 container has no ACL-based access control Medium ENABLER

Identity (49 rules)

ID Title Severity Chain role
cis_1_1 Ensure Multi-Factor Authentication is enabled for all non-privileged users High ANCHOR
cis_1_10 Ensure no more than 3 subscription Owners exist Medium ENABLER
cis_1_11 Ensure disabled user accounts do not hold role assignments High AMPLIFIER
cis_1_12 Ensure guest users do not have privileged role assignments Critical ANCHOR
cis_1_13 Ensure access reviews exist for privileged roles Medium ENABLER
cis_1_14 Ensure Privileged Identity Management (PIM) is in use Medium ENABLER
cis_1_15 Ensure app registrations do not have high-privilege Graph permissions Critical ANCHOR
cis_1_2 Ensure MFA is enabled for all privileged users Critical ANCHOR
cis_1_24 Custom subscription owner roles are not created Medium AMPLIFIER
cis_1_25 Role assignments use groups instead of individual users Low AMPLIFIER
cis_1_3 Ensure guest users are reviewed on a regular basis Medium ENABLER
cis_1_4 Ensure no custom subscription owner roles are created High AMPLIFIER
cis_1_5 Ensure all subscription Owners have MFA enabled Critical ANCHOR
cis_1_6 Ensure that 'Guest invite restrictions' is set to admins only Medium ENABLER
cis_1_7 Ensure no service principal credentials are expired High ENABLER
cis_1_8 Ensure legacy authentication protocols are blocked High ENABLER
cis_1_9 Ensure admins are notified on password resets Low ENABLER
cis_4_6 SQL Server uses Azure AD-only authentication High ENABLER
cis_9_13 App Service uses managed identity for authentication Medium ENABLER
zt_ai_002 Cognitive Services account relies on shared subscription keys (local auth enabled) High AMPLIFIER
zt_id_001 Service Principal credential never expires High ENABLER
zt_id_002 Service not using managed identity Medium AMPLIFIER
zt_id_003 Permanent privileged role assignment without PIM High ENABLER
zt_id_004 Cross-tenant access unrestricted High ENABLER
zt_id_005 Legacy authentication protocols enabled High ENABLER
zt_id_006 No enabled conditional access policies Critical ENABLER
zt_id_007 No PIM assignments configured Medium ENABLER
zt_id_008 Service Principal holds Owner/Contributor at subscription scope Critical AMPLIFIER
zt_id_009 External collaboration unrestricted Medium ENABLER
zt_id_010 No access reviews configured Medium ENABLER
zt_id_011 App Registration holds high-privilege Microsoft Graph permissions Critical ANCHOR
zt_id_012 No emergency access (break-glass) accounts configured Critical ANCHOR
zt_id_013 Conditional Access policies do not define named locations High ENABLER
zt_id_014 No authentication strength policy enforced for administrators High ENABLER
zt_id_015 Self-service password reset allows weak authentication methods Medium AMPLIFIER
zt_id_016 Guest users have excessive directory permissions High ENABLER
zt_id_017 Cross-tenant access settings allow inbound trust by default High ENABLER
zt_id_018 Identity Protection sign-in risk policy not enabled High ENABLER
zt_id_019 Token lifetime exceeds secure threshold Medium AMPLIFIER
zt_id_020 Administrative units not used for role scoping Low AMPLIFIER
zt_id_021 PIM role activation lacks approval workflow High ENABLER
zt_id_022 User risk policy not enabled in Identity Protection High ENABLER
zt_id_023 MFA registration policy not enforced for all users High ENABLER
zt_id_024 Service principal credentials not rotated within 90 days Medium AMPLIFIER
zt_id_025 Managed identity not used where available Medium AMPLIFIER
zt_id_026 No access reviews configured for privileged roles High ENABLER
zt_int_002 API Management lacks a system-assigned managed identity Medium ENABLER
zt_int_003 Event Grid / Service Bus / Event Hub namespace allows local auth (SAS keys) Medium AMPLIFIER
zt_wl_026 App Configuration store allows local authentication (access keys) Medium AMPLIFIER

Network (45 rules)

ID Title Severity Chain role
cis_2_1_24 Defender for DNS not enabled Medium ENABLER
cis_3_17 Storage account minimum TLS version is 1.2 High ENABLER
cis_6_1 Ensure SSH (port 22) is not exposed to the internet Critical ANCHOR
cis_6_10 Web Application Firewall (WAF) is enabled for Application Gateway High ENABLER
cis_6_11 Ensure management VMs do not have public IP addresses High AMPLIFIER
cis_6_2 Ensure RDP (port 3389) is not exposed to the internet Critical ANCHOR
cis_6_3 Ensure UDP services are not exposed to the internet High AMPLIFIER
cis_6_7 Azure Firewall Premium SKU not deployed High ENABLER
cis_6_9 Public IP addresses not associated with DDoS protection Medium AMPLIFIER
cis_9_11 App Service uses latest TLS version High ENABLER
cis_9_14 App Service restricts CORS to specific origins Medium AMPLIFIER
zt_ai_006 Azure ML compute cluster does not enforce SSH to private network Medium AMPLIFIER
zt_data_022 Databricks workspace deploys worker VMs with public IPs High AMPLIFIER
zt_data_026 HDInsight cluster deploys with public gateway enabled High ANCHOR
zt_data_029 MariaDB server requires SSL or uses minimum TLS version 1.2 High AMPLIFIER
zt_int_001 API Management instance accepts weak TLS on the gateway High AMPLIFIER
zt_int_004 Logic App workflow accepts HTTP trigger from anywhere with no IP restriction High ANCHOR
zt_int_005 Traffic Manager profile uses HTTP (not HTTPS) for probes Medium AMPLIFIER
zt_int_006 Front Door profile accepts TLS below 1.2 High AMPLIFIER
zt_int_008 API Management is not deployed in internal-VNet mode for sensitive backends Medium ENABLER
zt_net_001 NSG allows SSH (22) from the Internet Critical ANCHOR
zt_net_002 NSG allows RDP (3389) from the Internet Critical ANCHOR
zt_net_003 Subnet has no associated Network Security Group High ENABLER
zt_net_004 VNet peering without central firewall inspection Medium AMPLIFIER
zt_net_005 No Azure Firewall or NVA deployed Medium ENABLER
zt_net_006 Virtual Machine has a direct public IP High ANCHOR
zt_net_007 VNet missing DDoS protection Medium ENABLER
zt_net_008 Application Gateway without WAF High ENABLER
zt_net_009 Storage account network default action is Allow High AMPLIFIER
zt_net_010 PaaS resource missing private endpoint Medium ENABLER
zt_net_011 Azure Firewall not deployed in hub virtual network High ENABLER
zt_net_012 Azure Firewall threat intelligence mode not set to Alert and Deny High AMPLIFIER
zt_net_013 Virtual network has no DDoS protection plan Medium ENABLER
zt_net_014 Application Gateway does not have WAF enabled High ENABLER
zt_net_015 VPN Gateway not using IKEv2 or OpenVPN protocol Medium AMPLIFIER
zt_net_016 Network Watcher not enabled in all regions Medium ENABLER
zt_net_017 Front Door does not have WAF policy attached High ENABLER
zt_net_018 NSG allows all outbound traffic to the Internet Medium AMPLIFIER
zt_net_019 Subnet has no Network Security Group associated High ENABLER
zt_net_020 Virtual network peering allows forwarded traffic from remote Medium AMPLIFIER
zt_net_021 VPN Gateway uses a deprecated Basic SKU Medium AMPLIFIER
zt_net_022 Private DNS Zone has no virtual-network link — private endpoints unreachable Medium ENABLER
zt_net_023 ExpressRoute circuit does not use MACsec encryption Medium AMPLIFIER
zt_net_024 NAT Gateway has no idle timeout configured for long-lived connections Low ENABLER
zt_wl_025 Container App is externally-ingressed and allows insecure HTTP High AMPLIFIER

Visibility (47 rules)

ID Title Severity Chain role
cis_2_1 Ensure Microsoft Defender for Servers is set to Standard High ENABLER
cis_2_1_25 Defender for Resource Manager not enabled Medium ENABLER
cis_2_2 Ensure Microsoft Defender for App Service is set to Standard High ENABLER
cis_2_3 Ensure Microsoft Defender for SQL Servers is set to Standard High ENABLER
cis_2_4 Ensure Microsoft Defender for Storage is set to Standard High ENABLER
cis_2_5 Ensure Microsoft Defender for Containers is set to Standard High ENABLER
cis_2_6 Ensure Microsoft Defender for Key Vault is set to Standard High ENABLER
cis_2_7 Ensure Microsoft Defender for DNS is set to Standard High ENABLER
cis_2_8 Ensure Microsoft Defender for Resource Manager is set to Standard High ENABLER
cis_3_8 Ensure storage account diagnostic logs are enabled Medium ENABLER
cis_5_1 Ensure a diagnostic setting exists at subscription scope High ENABLER
cis_5_2 Ensure Activity Log retention is 365 days or more Medium ENABLER
cis_5_3 Ensure activity log alert exists for Create Policy Assignment Medium ENABLER
cis_5_4 Ensure activity log alert exists for NSG rule changes Medium ENABLER
cis_5_5 Ensure activity log alert exists for SQL firewall rule changes Medium ENABLER
cis_5_6 Ensure activity log alert exists for Security Solution changes Medium ENABLER
cis_5_7 Azure Monitor Diagnostic Settings captures all categories Medium AMPLIFIER
cis_5_8 Activity Log retention set to 365 days or more Medium AMPLIFIER
cis_5_9 Network Security Group flow log retention set to >= 90 days Medium AMPLIFIER
cis_6_4 Ensure Network Watcher is enabled Medium ENABLER
cis_6_5 Ensure NSG flow logs are enabled Medium ENABLER
cis_6_8 NSG flow logs not enabled for all NSGs Medium AMPLIFIER
cis_7_4 Ensure vulnerability assessment is enabled on VMs Medium ENABLER
cis_8_3 Ensure Key Vault has diagnostic settings enabled Medium ENABLER
zt_int_007 API Management instance has no diagnostic logs routed to Log Analytics or Event Hub Medium ENABLER
zt_vis_001 Security-relevant resource has no diagnostic settings High ENABLER
zt_vis_002 No Log Analytics workspace in subscription High ENABLER
zt_vis_003 Microsoft Defender for Cloud plans on Free tier Medium ENABLER
zt_vis_004 No alerting on critical management operations High ENABLER
zt_vis_005 Activity log retention appears insufficient Medium ENABLER
zt_vis_006 NSG flow logs disabled High ENABLER
zt_vis_007 No Microsoft Sentinel deployment found High ENABLER
zt_vis_008 No alert on Owner role assignment High ENABLER
zt_vis_009 No Network Watcher in subscription Medium ENABLER
zt_vis_010 Just-in-Time VM access not configured Medium ENABLER
zt_vis_011 No Log Analytics workspace configured in subscription High ENABLER
zt_vis_012 No Azure Monitor alert rules configured for critical operations Medium AMPLIFIER
zt_vis_013 NSG flow log retention period is less than 90 days Medium AMPLIFIER
zt_vis_014 Key Vault diagnostic logging not enabled High ENABLER
zt_vis_015 SQL Server audit log retention less than 90 days Medium AMPLIFIER
zt_vis_016 Storage account access logging not enabled Medium AMPLIFIER
zt_vis_017 Activity log not exported to Log Analytics workspace High ENABLER
zt_vis_018 No Azure Monitor action groups configured Medium AMPLIFIER
zt_vis_019 Application Insights not configured for web applications Medium AMPLIFIER
zt_vis_020 Defender for Cloud email notifications not configured Low AMPLIFIER
zt_vis_021 No Activity Log alert for role assignment creation at subscription scope Medium ENABLER
zt_vis_022 No Activity Log alert for Key Vault 'listKeys' or 'listSecrets' operations Medium ENABLER

Workload (44 rules)

ID Title Severity Chain role
cis_2_1_22 Defender for Containers not enabled High ENABLER
cis_7_1 Ensure endpoint protection is installed on VMs High ENABLER
cis_7_10 Only approved VM extensions are installed Medium AMPLIFIER
cis_7_2 Ensure encryption at host is enabled on VMs High ENABLER
cis_7_3 Ensure VM data disks are encrypted High ENABLER
cis_9_1 Ensure App Service requires HTTPS only High ENABLER
cis_9_12 App Service disables FTP deployment High ENABLER
cis_9_2 Ensure App Service minimum TLS version is 1.2 High ENABLER
cis_9_3 Ensure App Service remote debugging is disabled High ENABLER
cis_9_4 Ensure App Service has HTTP/2 enabled Low ENABLER
cis_9_5 Ensure App Service uses managed identity Medium ENABLER
zt_ai_001 Azure OpenAI / Cognitive Services account is exposed to the public internet High ANCHOR
zt_ai_004 Azure ML Workspace is internet-exposed High ANCHOR
zt_ai_007 Bot Service endpoint lacks managed identity authentication Medium ENABLER
zt_bak_005 Site Recovery replication policy uses inadequate RPO High ENABLER
zt_wl_001 Virtual Machine has no managed identity High AMPLIFIER
zt_wl_002 Container image pulled from public registry Medium AMPLIFIER
zt_wl_003 AKS API server is publicly reachable without IP allowlist Critical ANCHOR
zt_wl_004 Function App has no authentication enabled Critical ANCHOR
zt_wl_005 App Service allows HTTP (not HTTPS only) High AMPLIFIER
zt_wl_006 VM missing vulnerability assessment extension Medium ENABLER
zt_wl_007 AKS cluster allows privileged containers High AMPLIFIER
zt_wl_008 App Service has remote debugging enabled High ENABLER
zt_wl_009 VM missing antimalware extension Medium ENABLER
zt_wl_010 Shared user-assigned managed identity across workloads Medium AMPLIFIER
zt_wl_011 App Service uses legacy Easy Auth v1 without client auth enforcement High ANCHOR
zt_wl_012 Container Registry has admin account enabled High ENABLER
zt_wl_013 Container Registry allows public network access High ANCHOR
zt_wl_014 AKS cluster has no network policy configured High ENABLER
zt_wl_015 AKS cluster does not use Azure RBAC for Kubernetes authorization High ENABLER
zt_wl_016 AKS cluster does not enforce pod security standards High AMPLIFIER
zt_wl_017 Function App uses outdated runtime version Medium AMPLIFIER
zt_wl_018 App Service has remote debugging enabled High ANCHOR
zt_wl_019 App Service does not require client certificates Medium AMPLIFIER
zt_wl_020 Virtual Machine disk encryption not enabled High ENABLER
zt_wl_021 Defender for Containers not enabled on AKS cluster High ENABLER
zt_wl_022 AKS cluster does not use Key Vault CSI driver for secrets Medium AMPLIFIER
zt_wl_023 AKS cluster does not use private API server High ANCHOR
zt_wl_024 AKS cluster does not have Azure Policy add-on enabled Medium AMPLIFIER
zt_wl_027 Virtual Machine Scale Set does not use managed identity High ENABLER
zt_wl_028 Service Fabric cluster uses certificate thumbprint auth instead of Entra ID High ENABLER
zt_wl_029 VMSS has no automatic OS-image upgrade policy Medium ENABLER
zt_wl_030 Container App Environment is zone-redundant but has no managed identity High ENABLER
zt_wl_031 Batch account accepts public-endpoint pool access (no private endpoint) High ANCHOR