From 9ea6604078959c327cde30728f4d3822756f52c9 Mon Sep 17 00:00:00 2001
From: Matt Fuller <matthewdf10@gmail.com>
Date: Mon, 14 Oct 2019 17:35:06 -0400
Subject: [PATCH] fixing missing period

---
 README.md                                     | 25 +++++++++++++++++--
 .../cloudfront/public-s3-cloudfront-origin.md |  2 +-
 ...esource-location-matches-resource-group.md | 18 +++++++++++++
 .../resources-allowed-locations.md            | 18 +++++++++++++
 en/azure/cdn/detect-insecure-custom-origin.md | 18 +++++++++++++
 en/azure/keyvault/key-expiration-enabled.md   | 18 +++++++++++++
 en/azure/kubernetesservice/rbac-enabled.md    | 18 +++++++++++++
 en/azure/monitor/autoscale-enabled.md         | 18 +++++++++++++
 en/azure/monitor/log-profile-archive-data.md  | 18 +++++++++++++
 en/azure/monitor/nsg-log-analytics-enabled.md | 18 +++++++++++++
 .../enforce-ssl-connection-enabled.md         | 18 +++++++++++++
 .../default-security-group.md                 | 18 +++++++++++++
 .../networksecuritygroups/open-all-ports.md   | 18 +++++++++++++
 en/azure/networksecuritygroups/open-cifs.md   |  1 +
 en/azure/networksecuritygroups/open-dns.md    |  1 +
 en/azure/networksecuritygroups/open-ftp.md    |  1 +
 ...n-hadoop-hdfs-namenode-metadata-service.md |  1 +
 .../open-hadoop-hdfs-namenode-webui.md        |  1 +
 en/azure/networksecuritygroups/open-kibana.md |  1 +
 en/azure/networksecuritygroups/open-mysql.md  |  1 +
 .../networksecuritygroups/open-netbios.md     |  1 +
 en/azure/networksecuritygroups/open-oracle.md |  1 +
 .../networksecuritygroups/open-postgresql.md  |  1 +
 en/azure/networksecuritygroups/open-rdp.md    |  1 +
 en/azure/networksecuritygroups/open-rpc.md    |  1 +
 .../networksecuritygroups/open-smbotcp.md     |  1 +
 en/azure/networksecuritygroups/open-smtp.md   |  1 +
 .../networksecuritygroups/open-sqlserver.md   |  1 +
 en/azure/networksecuritygroups/open-ssh.md    |  1 +
 en/azure/networksecuritygroups/open-telnet.md |  1 +
 .../networksecuritygroups/open-vnc-client.md  |  1 +
 .../networksecuritygroups/open-vnc-server.md  |  1 +
 .../securitycenter/monitor-blob-encryption.md | 18 +++++++++++++
 .../securitycenter/monitor-disk-encryption.md |  3 ++-
 .../securitycenter/monitor-sql-auditing.md    |  1 +
 .../securitycenter/monitor-sql-encryption.md  |  1 +
 .../security-configuration-monitoring.md      | 18 +++++++++++++
 en/azure/sqlserver/tde-protector-encrypted.md | 18 +++++++++++++
 .../log-container-public-access.md            | 18 +++++++++++++
 .../storageaccounts/log-storage-encryption.md | 18 +++++++++++++
 40 files changed, 335 insertions(+), 4 deletions(-)
 create mode 100644 en/azure/azurepolicy/resource-location-matches-resource-group.md
 create mode 100644 en/azure/azurepolicy/resources-allowed-locations.md
 create mode 100644 en/azure/cdn/detect-insecure-custom-origin.md
 create mode 100644 en/azure/keyvault/key-expiration-enabled.md
 create mode 100644 en/azure/kubernetesservice/rbac-enabled.md
 create mode 100644 en/azure/monitor/autoscale-enabled.md
 create mode 100644 en/azure/monitor/log-profile-archive-data.md
 create mode 100644 en/azure/monitor/nsg-log-analytics-enabled.md
 create mode 100644 en/azure/mysqlserver/enforce-ssl-connection-enabled.md
 create mode 100644 en/azure/networksecuritygroups/default-security-group.md
 create mode 100644 en/azure/networksecuritygroups/open-all-ports.md
 create mode 100644 en/azure/securitycenter/monitor-blob-encryption.md
 create mode 100644 en/azure/securitycenter/security-configuration-monitoring.md
 create mode 100644 en/azure/sqlserver/tde-protector-encrypted.md
 create mode 100644 en/azure/storageaccounts/log-container-public-access.md
 create mode 100644 en/azure/storageaccounts/log-storage-encryption.md

diff --git a/README.md b/README.md
index 69693df35..59942540a 100644
--- a/README.md
+++ b/README.md
@@ -149,15 +149,32 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h
         * [HTTPS Only Enabled](en/azure/appservice/https-only-enabled.md)
         * [Identity Enabled](en/azure/appservice/identity-enabled.md)
         * [Python Version](en/azure/appservice/python-version.md)
+    * Azure Policy
+        * [Resource Location Matches Resource Group](en/azure/azurepolicy/resource-location-matches-resource-group.md)
+        * [Resources Allowed Locations](en/azure/azurepolicy/resources-allowed-locations.md)
     * Blob Service
         * [Blob Container Private Access](en/azure/blobservice/blob-container-private-access.md)
         * [Blob Service Immutable](en/azure/blobservice/blob-service-immutable.md)
+    * CDN
+        * [Detect Insecure Custom Origin](en/azure/cdn/detect-insecure-custom-origin.md)
     * File Service
         * [File Service All Access ACL](en/azure/fileservice/file-service-all-access-acl.md)
+    * Key Vault
+        * [Key Expiration Enabled](en/azure/keyvault/key-expiration-enabled.md)
+    * Kubernetes Service
+        * [RBAC Enabled](en/azure/kubernetesservice/rbac-enabled.md)
     * Log Alerts
         * [SQL Server Firewall Rule Alerts Monitor](en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md)
         * [Virtual Network Alerts Monitor](en/azure/logalerts/virtual-network-alerts-monitor.md)
+    * Monitor
+        * [Autoscale Enabled](en/azure/monitor/autoscale-enabled.md)
+        * [Log Profile Archive Data](en/azure/monitor/log-profile-archive-data.md)
+        * [NSG Log Analytics Enabled](en/azure/monitor/nsg-log-analytics-enabled.md)
+    * MySQL Server
+        * [Enforce SSL Connection Enabled](en/azure/mysqlserver/enforce-ssl-connection-enabled.md)
     * Network Security Groups
+        * [Default Security Group](en/azure/networksecuritygroups/default-security-group.md)
+        * [Open All Ports](en/azure/networksecuritygroups/open-all-ports.md)
         * [Open CIFS](en/azure/networksecuritygroups/open-cifs.md)
         * [Open DNS](en/azure/networksecuritygroups/open-dns.md)
         * [Open FTP](en/azure/networksecuritygroups/open-ftp.md)
@@ -179,15 +196,19 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h
         * [Open VNC Server](en/azure/networksecuritygroups/open-vnc-server.md)
     * Queue Service
         * [Queue Service All Access ACL](en/azure/queueservice/queue-service-all-access-acl.md)
-    * Resource Groups
-        * [Resource Groups](en/azure/resourcegroups/resource-groups.md)
+    * SQL Server
+        * [TDE Protector Encrypted](en/azure/sqlserver/tde-protector-encrypted.md)
     * Security Center
         * [Application Whitelisting Enabled](en/azure/securitycenter/application-whitelisting-enabled.md)
+        * [Monitor Blob Encryption](en/azure/securitycenter/monitor-blob-encryption.md)
         * [Monitor Disk Encryption](en/azure/securitycenter/monitor-disk-encryption.md)
         * [Monitor SQL Auditing](en/azure/securitycenter/monitor-sql-auditing.md)
         * [Monitor SQL Encryption](en/azure/securitycenter/monitor-sql-encryption.md)
         * [Monitor VM Vulnerability](en/azure/securitycenter/monitor-vm-vulnerability.md)
+        * [Security Configuration Monitoring](en/azure/securitycenter/security-configuration-monitoring.md)
     * Storage Accounts
+        * [Log Container Public Access](en/azure/storageaccounts/log-container-public-access.md)
+        * [Log Storage Encryption](en/azure/storageaccounts/log-storage-encryption.md)
         * [Network Access Default Action](en/azure/storageaccounts/network-access-default-action.md)
         * [Storage Accounts Encryption](en/azure/storageaccounts/storage-accounts-encryption.md)
         * [Storage Accounts HTTPS](en/azure/storageaccounts/storage-accounts-https.md)
diff --git a/en/aws/cloudfront/public-s3-cloudfront-origin.md b/en/aws/cloudfront/public-s3-cloudfront-origin.md
index e28b7b643..2c8bfe1d0 100644
--- a/en/aws/cloudfront/public-s3-cloudfront-origin.md
+++ b/en/aws/cloudfront/public-s3-cloudfront-origin.md
@@ -15,7 +15,7 @@
 | **Recommended Action** | Create an origin access identity for CloudFront, then make the contents of the S3 bucket private. |
 
 ## Detailed Remediation Steps
-1.Log into the AWS Management Console.
+1. Log into the AWS Management Console.
 2. Select the "Services" option and search for CloudFront. </br> <img src="/resources/aws/cloudfront/public-s3-cloudfront-origin/step2.png"/>
 3. Select the "CloudFront Distribution" that needs to be verified.</br> <img src="/resources/aws/cloudfront/public-s3-cloudfront-origin/step3.png"/>
 4. Click the "Distribution Settings" button from menu to get into the "CloudFront Distribution" configuration page. </br><img src="/resources/aws/cloudfront/public-s3-cloudfront-origin/step4.png"/>
diff --git a/en/azure/azurepolicy/resource-location-matches-resource-group.md b/en/azure/azurepolicy/resource-location-matches-resource-group.md
new file mode 100644
index 000000000..adc8439ed
--- /dev/null
+++ b/en/azure/azurepolicy/resource-location-matches-resource-group.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Azure Policy / Resource Location Matches Resource Group
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Resource Location Matches Resource Group |
+| **Cloud** | AZURE |
+| **Category** | Azure Policy |
+| **Description** | Ensures deployed resources match the resource groups they are in, as well as ensuring the Audit resource location matches resource group location policy is assigned. |
+| **More Info** | Monitoring changes to resources follows Security and Compliance best practices. Being able to track resource location changes adds a level of accountability. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal |
+| **Recommended Action** | 1. Navigate to the Policy service. 2. Select the Assignments blade. 3. Click on Assign Policy. 4. Click to search a Policy definition, search for and select: Audit resource location matches resource group location. 5. Under Parameters, select your Allowed locations. 6. Click on Assign. |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/azurepolicy/resources-allowed-locations.md b/en/azure/azurepolicy/resources-allowed-locations.md
new file mode 100644
index 000000000..422630b7a
--- /dev/null
+++ b/en/azure/azurepolicy/resources-allowed-locations.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Azure Policy / Resources Allowed Locations
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Resources Allowed Locations |
+| **Cloud** | AZURE |
+| **Category** | Azure Policy |
+| **Description** | Ensures deployed resources and resource groups belong to the list set in the Allowed locations for resource groups policy. |
+| **More Info** | Monitoring changes to resources follows Security and Compliance best practices. Being able to track resource location changes adds a level of accountability. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal |
+| **Recommended Action** | 1. Navigate to the Policy service. 2. Select the Assignments blade. 3. Click on Assign Policy. 4. Click to search a Policy definition, search for and select: Allowed locations for resource groups. 5. Under Parameters, select your Allowed locations. 6. Click on Assign. |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/cdn/detect-insecure-custom-origin.md b/en/azure/cdn/detect-insecure-custom-origin.md
new file mode 100644
index 000000000..49258e2a1
--- /dev/null
+++ b/en/azure/cdn/detect-insecure-custom-origin.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / CDN / Detect Insecure Custom Origin
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Detect Insecure Custom Origin |
+| **Cloud** | AZURE |
+| **Category** | CDN |
+| **Description** | Ensure that HTTPS is enabled when creating a new CDN endpoint with a Custom Origin. |
+| **More Info** | Detects if HTTPS is disabled for CDN endpoint of custom origins. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/cdn/cdn-create-endpoint-how-to |
+| **Recommended Action** | 1. Navigate to CDN profiles. 2. Select a profile. 3. Select an endpoint. 4. Select Settings > Origin. 5. Turn off HTTP and make sure HTTPS is turned on. |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/keyvault/key-expiration-enabled.md b/en/azure/keyvault/key-expiration-enabled.md
new file mode 100644
index 000000000..f6fb206f4
--- /dev/null
+++ b/en/azure/keyvault/key-expiration-enabled.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Key Vault / Key Expiration Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Key Expiration Enabled |
+| **Cloud** | AZURE |
+| **Category** | Key Vault |
+| **Description** | Ensure that all Keys in Azure Key Vault have an expiry time set. |
+| **More Info** | Setting an expiry time on all keys forces key rotation and removes unused and forgotten keys from being used. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates |
+| **Recommended Action** | 1. Go to Key vaults. 2. For each Key vault, click on Keys. 3. Ensure that each key in the vault has EXPIRATION DATE set as appropriate. |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/kubernetesservice/rbac-enabled.md b/en/azure/kubernetesservice/rbac-enabled.md
new file mode 100644
index 000000000..ea2ab2ca4
--- /dev/null
+++ b/en/azure/kubernetesservice/rbac-enabled.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Kubernetes Service / RBAC Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | RBAC Enabled |
+| **Cloud** | AZURE |
+| **Category** | Kubernetes Service |
+| **Description** | Ensures that RBAC is enabled on all Azure Kubernetes Services Instances |
+| **More Info** | Role Based Access Control(RBAC) provides greater control and security for Kubernetes clusters. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/aks/aad-integration |
+| **Recommended Action** | When creating a new Kubernetes Cluster, ensure that RBAC is enabled under the Authentication tab during creation. |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/monitor/autoscale-enabled.md b/en/azure/monitor/autoscale-enabled.md
new file mode 100644
index 000000000..c9165813f
--- /dev/null
+++ b/en/azure/monitor/autoscale-enabled.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Monitor / Autoscale Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Autoscale Enabled |
+| **Cloud** | AZURE |
+| **Category** | Monitor |
+| **Description** | Ensure Autoscaling is enabled on Resource Groups. |
+| **More Info** | Enabling Autoscale increases efficency and improves cost management for resources. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones |
+| **Recommended Action** | 1. Navigate to the Monitor category. 2. Select the autoscale blade under settings. 3. Choose the resource group. 4. Configure autoscaling. |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/monitor/log-profile-archive-data.md b/en/azure/monitor/log-profile-archive-data.md
new file mode 100644
index 000000000..0ac3f1ddb
--- /dev/null
+++ b/en/azure/monitor/log-profile-archive-data.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Monitor / Log Profile Archive Data
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Log Profile Archive Data |
+| **Cloud** | AZURE |
+| **Category** | Monitor |
+| **Description** | The Log Profile should be configured to export all activities from the control/management plane in all active locations. |
+| **More Info** | Enabling logging of all activities in a log profile ensures that cloud security best practices, as well as compliance and monitoring standards are followed. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/archive-activity-log |
+| **Recommended Action** | 1. Enter the Monitor category. 2. Select Activity Log from the left hand menu. 3. On the top of activity log select Export to Event Hub to enable activity log archiving and select the storage account or event hub to send the data to. |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/monitor/nsg-log-analytics-enabled.md b/en/azure/monitor/nsg-log-analytics-enabled.md
new file mode 100644
index 000000000..c4102d025
--- /dev/null
+++ b/en/azure/monitor/nsg-log-analytics-enabled.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Monitor / NSG Log Analytics Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | NSG Log Analytics Enabled |
+| **Cloud** | AZURE |
+| **Category** | Monitor |
+| **Description** | Ensures Network Security Groups logs are sent to the Log Analytics workspace. |
+| **More Info** | Enabling Log Analytics ensures that logs are shipped to a central repository that can be queried and audited, following cloud security best practices. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-activity-logs |
+| **Recommended Action** | 1. Go to Azure Monitor. 2. Select Diagnostic setting from the settings tab on the list to the left. 3. Choose the resource. 4. If no diagnostic setting defined, add diagnostic setting and enable Send to Log Analytics, if diagnostic setting are defined, edit the setting to enable Send to Log Analytics. |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/mysqlserver/enforce-ssl-connection-enabled.md b/en/azure/mysqlserver/enforce-ssl-connection-enabled.md
new file mode 100644
index 000000000..4c9b8bd94
--- /dev/null
+++ b/en/azure/mysqlserver/enforce-ssl-connection-enabled.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / MySQL Server / Enforce SSL Connection Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Enforce SSL Connection Enabled |
+| **Cloud** | AZURE |
+| **Category** | MySQL Server |
+| **Description** | Ensures SSL connection is set on MySQL Servers. |
+| **More Info** | SSL prevents infiltration attacks by encrypting the data stream between the server and app. By ensuring that SSL is enabled, security best practices are followed. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security |
+| **Recommended Action** | 1. Login to Azure Portal. 2. Go to Azure Database for MySQL server. 3. For each database, click on Connection security. 4. In SSL settings, Ensure Enforce SSL connection is set to Enabled. |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/networksecuritygroups/default-security-group.md b/en/azure/networksecuritygroups/default-security-group.md
new file mode 100644
index 000000000..087f3b189
--- /dev/null
+++ b/en/azure/networksecuritygroups/default-security-group.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Network Security Groups / Default Security Group
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Default Security Group |
+| **Cloud** | AZURE |
+| **Category** | Network Security Groups |
+| **Description** | Ensure the default security groups block all traffic by default. |
+| **More Info** | The default security group is often used for resources launched without a defined security group. For this reason, the default rules should be to block all traffic to prevent an accidental exposure. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group |
+| **Recommended Action** | Update the rules for the default security group to deny all traffic by default. |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/networksecuritygroups/open-all-ports.md b/en/azure/networksecuritygroups/open-all-ports.md
new file mode 100644
index 000000000..f68a5c40e
--- /dev/null
+++ b/en/azure/networksecuritygroups/open-all-ports.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Network Security Groups / Open All Ports
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Open All Ports |
+| **Cloud** | AZURE |
+| **Category** | Network Security Groups |
+| **Description** | Determine if all ports are open to the public |
+| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, services should be restricted to known IP addresses. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group |
+| **Recommended Action** | Restrict ports to known IP addresses |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/networksecuritygroups/open-cifs.md b/en/azure/networksecuritygroups/open-cifs.md
index 238f446d1..ff0fffb73 100644
--- a/en/azure/networksecuritygroups/open-cifs.md
+++ b/en/azure/networksecuritygroups/open-cifs.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict UDP port 445 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-cifs/step2.png"/>
 3.  Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-cifs/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-dns.md b/en/azure/networksecuritygroups/open-dns.md
index 11ad686f0..52ace53fa 100644
--- a/en/azure/networksecuritygroups/open-dns.md
+++ b/en/azure/networksecuritygroups/open-dns.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP and UDP port 53 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-dns/step2.png"/>
 3.  Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-dns/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-ftp.md b/en/azure/networksecuritygroups/open-ftp.md
index 0280a10d9..76339bca9 100644
--- a/en/azure/networksecuritygroups/open-ftp.md
+++ b/en/azure/networksecuritygroups/open-ftp.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 20 or 21 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-ftp/step2.png"/>
 3.  Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-ftp/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service.md b/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service.md
index bb580187a..a48a8ae6a 100644
--- a/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service.md
+++ b/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 8020 to known IP addresses for Hadoop/HDFS. |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-hadoop-hdfs-namenode-metadata-service/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui.md b/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui.md
index b99017cc5..dcfc3c087 100644
--- a/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui.md
+++ b/en/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 50070 and 50470 to known IP addresses for Hadoop/HDFS |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-hadoop-hdfs-namenode-webui/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-kibana.md b/en/azure/networksecuritygroups/open-kibana.md
index 06553eb17..a5345ba92 100644
--- a/en/azure/networksecuritygroups/open-kibana.md
+++ b/en/azure/networksecuritygroups/open-kibana.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 5601 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-kibana/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-kibana/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-mysql.md b/en/azure/networksecuritygroups/open-mysql.md
index a010f59b5..ed5ff4cc9 100644
--- a/en/azure/networksecuritygroups/open-mysql.md
+++ b/en/azure/networksecuritygroups/open-mysql.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP ports 4333 and 3306 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-mysql/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-mysql/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-netbios.md b/en/azure/networksecuritygroups/open-netbios.md
index e0cca70f7..14f23049b 100644
--- a/en/azure/networksecuritygroups/open-netbios.md
+++ b/en/azure/networksecuritygroups/open-netbios.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict UDP ports 137 and 138 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-netbios/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-netbios/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-oracle.md b/en/azure/networksecuritygroups/open-oracle.md
index 5551db390..65c010852 100644
--- a/en/azure/networksecuritygroups/open-oracle.md
+++ b/en/azure/networksecuritygroups/open-oracle.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP ports 1521 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-oracle/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-netbios/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-postgresql.md b/en/azure/networksecuritygroups/open-postgresql.md
index 14c6d0fd2..745bc84e8 100644
--- a/en/azure/networksecuritygroups/open-postgresql.md
+++ b/en/azure/networksecuritygroups/open-postgresql.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 5432 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-postgresql/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-postgresql/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-rdp.md b/en/azure/networksecuritygroups/open-rdp.md
index 875f3d057..e3f1fe5a5 100644
--- a/en/azure/networksecuritygroups/open-rdp.md
+++ b/en/azure/networksecuritygroups/open-rdp.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | For each VM, open the Networking blade and verify that the Inbound Port Rules do not have a rule for RDP with a source equal to "Any" OR "Internet" |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-rdp/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-rdp/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-rpc.md b/en/azure/networksecuritygroups/open-rpc.md
index 7dbb155c2..dc4cb968d 100644
--- a/en/azure/networksecuritygroups/open-rpc.md
+++ b/en/azure/networksecuritygroups/open-rpc.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 135 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-rpc/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-rpc/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-smbotcp.md b/en/azure/networksecuritygroups/open-smbotcp.md
index 263ccc6bf..b5a6aae86 100644
--- a/en/azure/networksecuritygroups/open-smbotcp.md
+++ b/en/azure/networksecuritygroups/open-smbotcp.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 445 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-smbotcp/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-smbotcp/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-smtp.md b/en/azure/networksecuritygroups/open-smtp.md
index 145b4fd30..28866fda6 100644
--- a/en/azure/networksecuritygroups/open-smtp.md
+++ b/en/azure/networksecuritygroups/open-smtp.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 25 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-smtp/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-smtp/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-sqlserver.md b/en/azure/networksecuritygroups/open-sqlserver.md
index be407fd85..353bda272 100644
--- a/en/azure/networksecuritygroups/open-sqlserver.md
+++ b/en/azure/networksecuritygroups/open-sqlserver.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 1433 and UDP port 1434 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-sqlserver/step2.png"/>
 3.  Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-sqlserver/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-ssh.md b/en/azure/networksecuritygroups/open-ssh.md
index 1d3dfe01a..3e52a34a8 100644
--- a/en/azure/networksecuritygroups/open-ssh.md
+++ b/en/azure/networksecuritygroups/open-ssh.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 22 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-ssh/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-ssh/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-telnet.md b/en/azure/networksecuritygroups/open-telnet.md
index 4b79c6663..1931de5d7 100644
--- a/en/azure/networksecuritygroups/open-telnet.md
+++ b/en/azure/networksecuritygroups/open-telnet.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 23 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-telnet/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-telnet/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-vnc-client.md b/en/azure/networksecuritygroups/open-vnc-client.md
index 4996ccf2a..1c8cb9e75 100644
--- a/en/azure/networksecuritygroups/open-vnc-client.md
+++ b/en/azure/networksecuritygroups/open-vnc-client.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 5500 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-vnc-client/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-vnc-client/step3.png"/>
diff --git a/en/azure/networksecuritygroups/open-vnc-server.md b/en/azure/networksecuritygroups/open-vnc-server.md
index 9e87647ce..4e17ad072 100644
--- a/en/azure/networksecuritygroups/open-vnc-server.md
+++ b/en/azure/networksecuritygroups/open-vnc-server.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | Restrict TCP port 5900 to known IP addresses |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Network security groups. </br> <img src="/resources/azure/networksecuritygroups/open-vnc-server/step2.png"/>
 3. Select the "Network security group" that needs to be verified. </br> <img src="/resources/azure/networksecuritygroups/open-vnc-server/step3.png"/>
diff --git a/en/azure/securitycenter/monitor-blob-encryption.md b/en/azure/securitycenter/monitor-blob-encryption.md
new file mode 100644
index 000000000..65775acb6
--- /dev/null
+++ b/en/azure/securitycenter/monitor-blob-encryption.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Security Center / Monitor Blob Encryption
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Monitor Blob Encryption |
+| **Cloud** | AZURE |
+| **Category** | Security Center |
+| **Description** | Ensures that Blob Storage Encryption monitoring is enabled. |
+| **More Info** | When this setting is enabled, Security Center audits blob encryption in all storage accounts to enhance data at rest protection. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policies |
+| **Recommended Action** | 1. Go to Azure Security Center 2. Click on Security policy 3. Click on your Subscription Name 4. Look for the "Audit missing blob encryption for storage accounts." setting. 5. Ensure that it is not set to Disabled |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/securitycenter/monitor-disk-encryption.md b/en/azure/securitycenter/monitor-disk-encryption.md
index 443319fca..15f68912c 100644
--- a/en/azure/securitycenter/monitor-disk-encryption.md
+++ b/en/azure/securitycenter/monitor-disk-encryption.md
@@ -10,11 +10,12 @@
 | **Cloud** | AZURE |
 | **Category** | Security Center |
 | **Description** | Ensures Disk Encryption monitoring is enabled in Security Center. |
-| **More Info** | When this setting is enabled, Security Center audits disk encryption in all virtual machines (Windows and Linux as well) to enhance data protection at rest. |
+| **More Info** | When this setting is enabled, Security Center audits disk encryption in all virtual machines (Windows and Linux as well) to enhance data at rest protection. |
 | **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions |
 | **Recommended Action** | 1. Go to Azure Security Center 2. Click On the security policy to Open Policy Management Blade. 3. Click Subscription View 4. Click on Subscription Name to open Security Policy Blade for the Subscription. 5. Expand Compute And Apps 6. Ensure that Disk Encryption is not set to Disabled |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Security Center. </br> <img src="/resources/azure/securitycenter/monitor-disk-encryption/step2.png"/>
 3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."</br> <img src="/resources/azure/securitycenter/monitor-disk-encryption/step3.png"/>
diff --git a/en/azure/securitycenter/monitor-sql-auditing.md b/en/azure/securitycenter/monitor-sql-auditing.md
index f6b805363..545f4b17a 100644
--- a/en/azure/securitycenter/monitor-sql-auditing.md
+++ b/en/azure/securitycenter/monitor-sql-auditing.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | 1. Go to Azure Security Center 2. Click on Security policy 3. Click on your Subscription Name 4. Look for the "Monitor SQL auditing" setting. 5. Ensure that it is not set to Disabled |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Security Center. </br> <img src="/resources/azure/securitycenter/monitor-sql-auditing/step2.png"/>
 3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."</br> <img src="/resources/azure/securitycenter/monitor-sql-auditing/step3.png"/>
diff --git a/en/azure/securitycenter/monitor-sql-encryption.md b/en/azure/securitycenter/monitor-sql-encryption.md
index be8f1f046..34c5c51b1 100644
--- a/en/azure/securitycenter/monitor-sql-encryption.md
+++ b/en/azure/securitycenter/monitor-sql-encryption.md
@@ -15,6 +15,7 @@
 | **Recommended Action** | 1. Go to Azure Security Center 2. Click on Security policy 3. Click on your Subscription Name 4. Look for the "Monitor SQL encryption" setting. 5. Ensure that it is not set to Disabled |
 
 ## Detailed Remediation Steps
+
 1. Log into the Microsoft Azure Management Console.
 2. Select the "Search resources, services, and docs" option at the top and search for Security Center. </br> <img src="/resources/azure/securitycenter/monitor-sql-encryption/step2.png"/>
 3. Scroll down the "Security Center" navigation panel and select the "Security policy" option under "POLICY & COMPLIANCE."</br> <img src="/resources/azure/securitycenter/monitor-sql-encryption/step3.png"/>
diff --git a/en/azure/securitycenter/security-configuration-monitoring.md b/en/azure/securitycenter/security-configuration-monitoring.md
new file mode 100644
index 000000000..b616b16f7
--- /dev/null
+++ b/en/azure/securitycenter/security-configuration-monitoring.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Security Center / Security Configuration Monitoring
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Security Configuration Monitoring |
+| **Cloud** | AZURE |
+| **Category** | Security Center |
+| **Description** | Ensure that Security Configuration Monitoring is set to audit on the Default Policy |
+| **More Info** | By enabling audit on Security Configuration Monitoring, Security Vulnerabilities on machines can be detected, keeping security up to date and following security best practices. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/governance/policy/overview |
+| **Recommended Action** | 1. Navigate to the Policy service. 2. Select the Assignments blade. 3. Select the ASC Default policy. 4. Select Edit Assignment and Look for Vulnerabilities in Security Configuration On Your Machine Should Be Remediated and select AuditIfNotExists in the drop down menu. |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/sqlserver/tde-protector-encrypted.md b/en/azure/sqlserver/tde-protector-encrypted.md
new file mode 100644
index 000000000..1b670a1c6
--- /dev/null
+++ b/en/azure/sqlserver/tde-protector-encrypted.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / SQL Server / TDE Protector Encrypted
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | TDE Protector Encrypted |
+| **Cloud** | AZURE |
+| **Category** | SQL Server |
+| **Description** | Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) |
+| **More Info** | Enabling BYOK in the TDE protector allows for greater control and transparency, as well as increasing security by having full control of the encryption keys. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-byok-azure-sql |
+| **Recommended Action** | 1. Enter the SQL Server category in the Azure portal. 2. Choose the sql server. 3. Enter the Transparent Data Encryption blade. 4. Enable Use Your Own Key. 5. Select an existing key or create one. |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/storageaccounts/log-container-public-access.md b/en/azure/storageaccounts/log-container-public-access.md
new file mode 100644
index 000000000..695a19f4a
--- /dev/null
+++ b/en/azure/storageaccounts/log-container-public-access.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Storage Accounts / Log Container Public Access
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Log Container Public Access |
+| **Cloud** | AZURE |
+| **Category** | Storage Accounts |
+| **Description** | Ensure that the Activity Log Container does not have public read access. |
+| **More Info** | Enabling private access only on the Activity Log Storage Container ensures that log data is secured and only accessible from within, following security best practices. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources |
+| **Recommended Action** | 1. Enter the activity log service. 2. Choose the export option. 3. Note the storage container in use. 4. Enter the storage account in use by navigating to the storage accounts service. 5. Select the Blob blade under Blob Service. 6. Select insights-operational-logs. 7. Click on Access Level and ensure that access is set to private. |
+
+## Detailed Remediation Steps
+
diff --git a/en/azure/storageaccounts/log-storage-encryption.md b/en/azure/storageaccounts/log-storage-encryption.md
new file mode 100644
index 000000000..8d21f52cd
--- /dev/null
+++ b/en/azure/storageaccounts/log-storage-encryption.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AZURE / Storage Accounts / Log Storage Encryption
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Log Storage Encryption |
+| **Cloud** | AZURE |
+| **Category** | Storage Accounts |
+| **Description** | Ensures BYOK encryption is properly configured in the Activity Log Storage Account. |
+| **More Info** | Storage accounts can be configured to encrypt data-at-rest, by default Azure will create a set of keys to encrypt your storage account, but the recommended approach is to create your own keys using Azure Key Vault. |
+| **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption-customer-managed-keys |
+| **Recommended Action** | 1. Enter the activity log service. 2. Choose the export option. 3. Note the storage container in use. 4. Enter the storage account in use by navigating to the storage accounts service. 5. Navigate to encryption and enable Use Your Own Key. |
+
+## Detailed Remediation Steps
+