| 1.5.4 Configure SNMP Traps | CIS Cisco NX-OS L2 v1.1.0 | Cisco | CONFIGURATION MANAGEMENT, MAINTENANCE, SYSTEM AND INFORMATION INTEGRITY |
| 3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protections | CIS Cisco NX-OS L1 v1.1.0 | Cisco | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 3.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On' | CIS Microsoft Azure Foundations v3.0.0 L2 | microsoft_azure | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 3.4 Ensure logging is enabled on all firewall policies | CIS Fortigate 7.0.x v1.3.0 L1 | FortiGate | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.7 Ensure VPC flow logging is enabled in all VPCs | CIS Amazon Web Services Foundations L2 3.0.0 | amazon_aws | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network | CIS Google Cloud Platform v3.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 4.1.1 Detect Botnet connections | CIS Fortigate 7.0.x v1.3.0 L2 | FortiGate | SYSTEM AND INFORMATION INTEGRITY |
| 4.4.3 Ensure all Application Control related traffic is logged | CIS Fortigate 7.0.x v1.3.0 L1 | FortiGate | SYSTEM AND INFORMATION INTEGRITY |
| 5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.2.2.6 Enable Azure AD Identity Protection user risk policies | CIS Microsoft 365 Foundations E5 L2 v3.1.0 | microsoft_azure | SYSTEM AND INFORMATION INTEGRITY |
| 5.2.2.7 Enable Azure AD Identity Protection sign-in risk policies | CIS Microsoft 365 Foundations E5 L2 v3.1.0 | microsoft_azure | SYSTEM AND INFORMATION INTEGRITY |
| 5.3 Ensure a WildFire file blocking profile is enabled for all security policies allowing Internet traffic flows | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.3 Ensure a WildFire file blocking profile is enabled for all security policies allowing Internet traffic flows | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.5 Ensure all WildFire session information settings are enabled | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.5 Ensure all WildFire session information settings are enabled | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.1 Ensure at least one antivirus profile is set to block on all decoders except 'imap' and 'pop3' | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.1 Ensure at least one antivirus profile is set to block on all decoders except 'imap' and 'pop3' | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | CIS Microsoft Azure Foundations v3.0.0 L2 | microsoft_azure | SYSTEM AND INFORMATION INTEGRITY |
| 6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.7 Ensure a VPP is set to block attacks against critical and high vulnerabilities, and set to default on med, low, and info vulns | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical/high, and set to default on medium, low, and info | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical/high, and set to default on medium, low, and info | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled - Data Filtering Profile | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled - Data Filtering Profile | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.15 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.15 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packets | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packets | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 7.4 Ensure that logging is enabled on built-in default security policies | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 7.4 Ensure that logging is enabled on built-in default security policies | CIS Palo Alto Firewall 11 v1.1.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 7.6 Ensure port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT) | CIS VMware ESXi 6.7 v1.3.0 Level 1 | VMware | SYSTEM AND INFORMATION INTEGRITY |
| 7.7 (L1) Ensure Virtual Distributed Switch Netflow traffic is sent to an authorized collector | CIS VMware ESXi 7.0 v1.4.0 L1 | VMware | SYSTEM AND INFORMATION INTEGRITY |
| 7.7 Ensure Virtual Disributed Switch Netflow traffic is sent to an authorized collector | CIS VMware ESXi 6.7 v1.3.0 Level 1 | VMware | SYSTEM AND INFORMATION INTEGRITY |
| F5BI-LT-000239 - The BIG-IP Core implementation must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions. | DISA F5 BIG-IP Local Traffic Manager STIG v2r3 | F5 | SYSTEM AND INFORMATION INTEGRITY |
| PANW-AG-000115 - The Palo Alto Networks security platform must continuously monitor inbound communications traffic crossing internal security boundaries. | DISA STIG Palo Alto ALG v3r1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| PANW-IP-000049 - The Palo Alto Networks security platform must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions. | DISA STIG Palo Alto IDPS v3r1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| SYMP-AG-000640 - Reverse proxy Symantec ProxySG providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions. | DISA Symantec ProxySG Benchmark ALG v1r3 | BlueCoat | SYSTEM AND INFORMATION INTEGRITY |
| SYMP-AG-000650 - Symantec ProxySG providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions - Proxy Services | DISA Symantec ProxySG Benchmark ALG v1r3 | BlueCoat | SYSTEM AND INFORMATION INTEGRITY |
| SYMP-AG-000650 - Symantec ProxySG providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions - Rules | DISA Symantec ProxySG Benchmark ALG v1r3 | BlueCoat | SYSTEM AND INFORMATION INTEGRITY |
| Windows Device Configuration - File Blocking Level | Tenable Best Practices for Microsoft Intune Windows v1.0 | microsoft_azure | SYSTEM AND INFORMATION INTEGRITY |
