Skip to main content

Lacework for Azure - FAQs

This topic contains the following sections:

Compliance

Why are both the Azure CIS 1.0 and 1.3.1 benchmarks available in the Compliance reports?

As of v4.32 (platform release on 2nd November 2021), the CIS 1.3.1 benchmarks were added to the Lacework Azure configuration analyzers.

You can select either benchmark version on the Azure Compliance Reports page (alongside other benchmark types).

azure_compliance_report_types_131.png

How do I start using the Azure CIS 1.3.1 benchmarks in the Compliance Reports?

See Azure CIS 1.3.1 Benchmark Report for instructions on how to enable the new benchmarks for your Azure environment.

Why do some benchmark rules show a 'Manual' status in the Compliance Reports?

Lacework automates your Compliance rules where it is possible to do so, but some rules cannot be automated. The reasons for this can vary:

  • Scope is defined by the user.
  • It requires configuring other products or API permissions that are out of scope through the Azure integration with Lacework.
  • Known issues for audit procedure described by CIS control rule.

For the Azure CIS 1.3.1 benchmark, there are certain rules that require manual intervention even when the Center for Internet Security (CIS) deemed them as automated. Conversely, Lacework has automated some of these rules that were deemed manual.

See the Automated vs Manual Rules section in Azure CIS 1.3.1 Benchmark Report for further details on the affected rules.

Why do some Compliance rules display at the Tenant level but not at the Subscription level?

The majority of the Azure CIS benchmark rules are evaluated at the Subscription level, however, some are evaluated at the Tenant level.

Tenant level rules are only displayed in the Compliance > Azure > Dashboard page. You can view only Tenant level rules that have resources in violation by setting the Subscriptions dropdown filter to n/a.

A small subset of rules are also applicable to both the Tenant and Subscription levels.

The following table outlines the rules applicable to the Tenant level only (with two exceptions noted at the beginning):

Rule IDCategoryTitle
Azure_CIS_1_1
Azure_CIS_131_1_1
Identity and Access ManagementEnsure that multi-factor authentication is enabled for all privileged users.
Note: Applicable at both Tenant and Subscription level.
Azure_CIS_1_2
Azure_CIS_131_1_2
Identity and Access ManagementEnsure that multi-factor authentication is enabled for all non-privileged users.
Note: Applicable at both Tenant and Subscription level.
Azure_CIS_1_3Identity and Access ManagementEnsure that there are no guest users.
Azure_CIS_131_1_3Identity and Access ManagementEnsure guest users are reviewed on a monthly basis.
Azure_CIS_1_4
Azure_CIS_131_1_4
Identity and Access ManagementEnsure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'.
Azure_CIS_1_5
Azure_CIS_131_1_5
Identity and Access ManagementEnsure that 'Number of methods required to reset' is set to '2'.
Azure_CIS_1_6
Azure_CIS_131_1_6
Identity and Access ManagementEnsure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'.
Azure_CIS_1_7
Azure_CIS_131_1_7
Identity and Access ManagementEnsure that 'Notify users on password resets?' is set to 'Yes'.
Azure_CIS_1_8
Azure_CIS_131_1_8
Identity and Access ManagementEnsure that 'Notify all admins when other admins reset their password?' is set to 'Yes'.
Azure_CIS_1_9
Azure_CIS_131_1_9
Identity and Access ManagementEnsure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'.
Azure_CIS_1_10
Azure_CIS_131_1_10
Identity and Access ManagementEnsure that 'Users can add gallery apps to their Access Panel' is set to 'No'.
Azure_CIS_1_11
Azure_CIS_131_1_11
Identity and Access ManagementEnsure that 'Users can register applications' is set to 'No'.
Azure_CIS_1_12
Azure_CIS_131_1_12
Identity and Access ManagementEnsure that 'Guest users permissions are limited' is set to 'Yes'.
Azure_CIS_1_13
Azure_CIS_131_1_13
Identity and Access ManagementEnsure that 'Members can invite' is set to 'No'.
Azure_CIS_1_14
Azure_CIS_131_1_14
Identity and Access ManagementEnsure that 'Guests can invite' is set to 'No'.
Azure_CIS_1_15
Azure_CIS_131_1_15
Identity and Access ManagementRestrict access to Azure AD administration portal' is set to 'Yes'.
Azure_CIS_1_16Identity and Access ManagementEnsure that 'Self-service group management enabled' is set to 'No'.
Azure_CIS_131_1_16Identity and Access ManagementEnsure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No'.
Azure_CIS_1_17Identity and Access ManagementEnsure that 'Users can create security groups' is set to 'No'.
Azure_CIS_131_1_17Identity and Access ManagementEnsure that 'Users can create security groups in Azure Portals' is set to 'No'.
Azure_CIS_1_18Identity and Access ManagementEnsure that 'Users who can manage security groups' is set to 'None'.
Azure_CIS_131_1_18Identity and Access ManagementEnsure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'.
Azure_CIS_1_19
Azure_CIS_131_1_19
Identity and Access ManagementEnsure that 'Users can create Office 365 groups' is set to 'No'.
Azure_CIS_1_20Identity and Access ManagementEnsure that 'Users who can manage Office 365 groups' is set to 'None'.
Azure_CIS_1_21Identity and Access ManagementEnsure that 'Enable 'All Users' group' is set to 'Yes'.
Azure_CIS_1_22
Azure_CIS_131_1_20
Identity and Access ManagementEnsure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'.
Azure_CIS_131_1_22Identity and Access ManagementEnsure Security Defaults is enabled on Azure Active Directory.
Azure_CIS_131_1_23Identity and Access ManagementEnsure that no custom subscription owner roles are created.

Why do some of the Compliance Tenant level IAM rules take longer to update?

Some of the Identity and Access Management rules can take up to 48 hours before they initially show in the Lacework Console. This is because they leverage the Azure Security Benchmark Policy, which runs once every 24 hours.

Why do some of the Compliance Tenant level IAM rules still not show after 48 hours?

Some of the Identity and Access Management policies are only initialized if the Azure Security Center free has been enabled in your environment.

After setting this up, the rules are only available if you have skipped the free trial.

azure-asc-skip-free-trial.png

The rules are also available if you have started paying for Azure Defender.