Cargando…
Cargando…
This is the full catalog of the 197 detection rules simiriki runs against a Microsoft 365 and Azure tenant — read-only, in minutes. For each control you see its code, what it checks, severity, the data plane it reads from, the regulatory evidence it supports, and an honest coverage state.
We publish the coverage map. We keep the evaluator logic — the exact queries and pass/fail thresholds — private. Coverage transparency without handing over the engine.
A Microsoft 365 estate is not one surface. Identity, mail flow, sharing, devices, audit, app consent, and the Azure resources underneath all expose their state through different APIs. simiriki reads two planes with a read-only token: 151 controls via Microsoft Graph and 46 controls via Azure Resource Manager — 197 in total.
Here is the part most vendors hide: a single read-only token does not reach everything. Power Platform governance lives behind the Power Platform Admin API. Teams meeting and federation policy, and Exchange and Defender policy state, sit in surfaces a Graph token cannot read. So we are explicit. Of the 197 controls, 92 return an automated pass or fail on every tenant; 22 are conditional — they evaluate only when the relevant resource exists (the Azure SQL rules, for example, apply only when SQL servers are present); and 83 are flagged for admin consent or manual review and excluded from the posture score. We never report a control we cannot read as a pass, and we never fail a tenant we did not actually measure.
simiriki open-sources its coverage, not its engine. The catalog below is the published half.
85 of the 197 controls carry a declared mapping to the Mexican frameworks simiriki documents evidence for. Filter by framework to see exactly which controls support each obligation — each row cites the specific article it answers to. We map only what the control genuinely evidences; a control with no declared mapping shows none rather than an invented crosswalk.
Mexican Federal Personal Data Protection Law
CNBV — Banking Regulation (Information Security)
NOM-151-SCFI-2016 — Digital Records Preservation Standard
| Code | Control | Severity | Plane | Coverage |
|---|---|---|---|---|
| IAM-001 | MFA not enforced for all users LFPDPPP · Artículo 19Reglamento LFPDPPP · Artículo 57 — Medidas de Seguridad — Control de AccesoCUB · Art. 168 Bis 11 VI (a) — Identificación, autenticación y rolesCUB · Art. 168 Bis 12 II — Revisiones anuales de MFA, CA, parches y modificacionesCUB · Art. 310 III — Factor de autenticación Categoría 3 (posesión)CUB · Art. 311–312 — Segundo factor Cat. 3 o 4 para operaciones por Internet | Critical | Microsoft Graph | Automated |
| IAM-002 | No Conditional Access policies configured LFPDPPP · Artículo 19Reglamento LFPDPPP · Artículo 57 — Medidas de Seguridad — Control de AccesoCUB · Art. 168 Bis 11 VI (a) — Identificación, autenticación y rolesCUB · Art. 168 Bis 12 II — Revisiones anuales de MFA, CA, parches y modificacionesCUB · Art. 311–312 — Segundo factor Cat. 3 o 4 para operaciones por Internet | Critical | Microsoft Graph | Automated |
| IAM-003 | Guest accounts with excessive permissions LFPDPPP · Artículo 19 | High | Microsoft Graph | Automated |
| IAM-004 | Global admin without PIM CUB · Art. 168 Bis 11 VI (a) — Identificación, autenticación y rolesCUB · Art. 168 Bis 14 III — Revisión anual de perfiles de acceso | High | Microsoft Graph | Requires review |
| IAM-005 | Stale accounts not disabled CUB · Art. 168 Bis 11 VI (c) — Rotación de credenciales aplicativo-a-aplicativoCUB · Art. 168 Bis 12 X — Controles desde contratación a terminación | Medium | Microsoft Graph | Automated |
| IAM-006 | Password expiration policy not set CUB · Art. 310 II — Factor de autenticación Categoría 2 (conocimiento)CUB · Art. 316 Bis 4 — Cambio de contraseñas/NIP ≤90 días | Medium | Microsoft Graph | Automated |
| IAM-007 | Self-service password reset not configured | Medium | Microsoft Graph | Conditional |
| IAM-008 | Legacy authentication protocols enabled LFPDPPP · Artículo 19CUB · Art. 168 Bis 12 II — Revisiones anuales de MFA, CA, parches y modificaciones | High | Microsoft Graph | Automated |
| RSK-001 | No sign-in risk policy configured | High | Microsoft Graph | Automated |
| RSK-002 | No user risk policy configured | High | Microsoft Graph | Automated |
| RSK-003 | No named locations defined for CA policies | Medium | Microsoft Graph | Automated |
| RSK-004 | Security defaults not enabled (no CA policies) | Critical | Microsoft Graph | Automated |
| RSK-005 | No break-glass emergency access account | Critical | Microsoft Graph | Requires review |
| IAM-009 | Password expiration policy not configured CUB · Art. 310 II — Factor de autenticación Categoría 2 (conocimiento)CUB · Art. 316 Bis 4 — Cambio de contraseñas/NIP ≤90 días | High | Microsoft Graph | Automated |
| IAM-010 | Self-service password reset not enabled | Medium | Microsoft Graph | Conditional |
| IAM-011 | No sign-in risk policy configured | High | Microsoft Graph | Automated |
| IAM-012 | No user risk policy configured | High | Microsoft Graph | Automated |
| IAM-013 | Privileged Identity Management not enabled CUB · Art. 168 Bis 14 III — Revisión anual de perfiles de accesoCUB · Art. 168 Bis 14 IV — Verificación anual de asignación + registro de excepciones | Critical | Microsoft Graph | Requires review |
| IAM-014 | Emergency access accounts not configured | Critical | Microsoft Graph | Automated |
| IAM-015 | Multiple global administrators detected (>4) | High | Microsoft Graph | Requires review |
| IAM-016 | Admin accounts not cloud-only | Medium | Microsoft Graph | Automated |
| IAM-017 | No authentication strength policy for admins CUB · Art. 168 Bis 11 VI (a) — Identificación, autenticación y rolesCUB · Art. 168 Bis 12 II — Revisiones anuales de MFA, CA, parches y modificacionesCUB · Art. 310 III — Factor de autenticación Categoría 3 (posesión)CUB · Art. 311–312 — Segundo factor Cat. 3 o 4 para operaciones por Internet | High | Microsoft Graph | Conditional |
| IAM-018 | App registration allowed for all users | Medium | Microsoft Graph | Conditional |
| IAM-019 | Consent for applications not restricted | High | Microsoft Graph | Automated |
| IAM-020 | LinkedIn account integration enabled | Low | Microsoft Graph | Automated |
| IAM-021 | No named locations configured for CA policies | Medium | Microsoft Graph | Automated |
| IAM-022 | Security defaults not enabled (no CA alternative) | Critical | Microsoft Graph | Conditional |
| IAM-023 | No terms of use configured | Low | Microsoft Graph | Automated |
| IAM-024 | Cross-tenant access settings not reviewed CUB · Art. 168 Bis 12 X — Controles desde contratación a terminación | Medium | Microsoft Graph | Automated |
| IAM-025 | No access review campaigns configured CUB · Art. 168 Bis 12 X — Controles desde contratación a terminaciónCUB · Art. 168 Bis 14 III — Revisión anual de perfiles de accesoCUB · Art. 168 Bis 14 IV — Verificación anual de asignación + registro de excepciones | Medium | Microsoft Graph | Automated |
| IAM-026 | Service principal secrets older than 365 days CUB · Art. 168 Bis 11 VI (c) — Rotación de credenciales aplicativo-a-aplicativo | High | Microsoft Graph | Automated |
| IAM-027 | Sign-in frequency not enforced via Conditional Access CUB · Art. 168 Bis 12 II — Revisiones anuales de MFA, CA, parches y modificaciones | Medium | Microsoft Graph | Automated |
| Code | Control | Severity | Plane | Coverage |
|---|---|---|---|---|
| EML-001 | SPF record missing or misconfigured LFPDPPP · Artículo 19 | Critical | Microsoft Graph | Automated |
| EML-002 | DKIM not enabled for all domains LFPDPPP · Artículo 19 | High | Microsoft Graph | Automated |
| EML-003 | DMARC policy not enforced LFPDPPP · Artículo 19 | High | Microsoft Graph | Automated |
| EML-004 | Mail forwarding rules to external domains LFPDPPP · Artículo 19 | High | Microsoft Graph | Conditional |
| EML-005 | Safe Attachments policy not configured CUB · Art. 168 Bis 12 IX — Threat hunting (phishing, suplantación, ATM/POS) | Medium | Microsoft Graph | Requires review |
| EML-006 | Anti-phishing policy at default CUB · Art. 168 Bis 12 IX — Threat hunting (phishing, suplantación, ATM/POS) | Medium | Microsoft Graph | Requires review |
| EXO-001 | Domains with weak authentication type | High | Microsoft Graph | Requires review |
| EXO-002 | No Exchange Online security alerts configured | High | Microsoft Graph | Requires review |
| EXO-003 | Exchange Online service health degraded CUB · Art. 168 Bis 11 XIII — SLA de disponibilidad y tiempo de respuesta | Medium | Microsoft Graph | Automated |
| EXO-004 | Users with auto-forwarding enabled | High | Microsoft Graph | Requires review |
| EXO-005 | Password validity period not restricted CUB · Art. 316 Bis 4 — Cambio de contraseñas/NIP ≤90 días | Medium | Microsoft Graph | Automated |
| EML-007 | Anti-phishing policy not configured | High | Microsoft Graph | Requires review |
| EML-008 | Safe Links policy not configured CUB · Art. 168 Bis 12 IX — Threat hunting (phishing, suplantación, ATM/POS) | High | Microsoft Graph | Requires review |
| EML-009 | Common attachment type filter not enabled | Medium | Microsoft Graph | Requires review |
| EML-010 | Auto-forwarding to external domains allowed CUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlación | Critical | Microsoft Graph | Conditional |
| EML-011 | Sender Policy Framework (SPF) record too permissive CUB · Art. 168 Bis 12 IX — Threat hunting (phishing, suplantación, ATM/POS) | High | Microsoft Graph | Automated |
| EML-012 | DKIM signing not enabled for all domains CUB · Art. 168 Bis 12 IX — Threat hunting (phishing, suplantación, ATM/POS) | High | Microsoft Graph | Automated |
| EML-013 | DMARC policy not set to reject CUB · Art. 168 Bis 12 IX — Threat hunting (phishing, suplantación, ATM/POS) | High | Microsoft Graph | Automated |
| EML-014 | External email tagging not enabled CUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlaciónCUB · Art. 168 Bis 12 IX — Threat hunting (phishing, suplantación, ATM/POS) | Medium | Microsoft Graph | Requires review |
| EML-015 | Mailbox audit logging not enabled CUB · Art. 168 Bis 11 VIII — Registros de auditoría íntegros | High | Microsoft Graph | Requires review |
| EML-016 | Shared mailbox sign-in not disabled | Medium | Microsoft Graph | Automated |
| EML-017 | No zero-hour auto purge (ZAP) configured CUB · Art. 168 Bis 12 IX — Threat hunting (phishing, suplantación, ATM/POS) | High | Microsoft Graph | Requires review |
| EML-018 | Calendar sharing with external users unrestricted | Medium | Microsoft Graph | Requires review |
| Code | Control | Severity | Plane | Coverage |
|---|---|---|---|---|
| DLP-001 | No DLP policies configured CUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlación | High | Microsoft Graph | Automated |
| DLP-002 | Sensitivity labels not deployed CUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlación | High | Microsoft Graph | Requires review |
| DLP-003 | External sharing enabled globally on SharePoint LFPDPPP · Artículo 19CUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlación | Critical | Microsoft Graph | Conditional |
| DLP-004 | OneDrive files shared with "Anyone" links | High | Microsoft Graph | Requires review |
| DLP-005 | No retention policies for sensitive data | Medium | Microsoft Graph | Automated |
| DLP-006 | Information barriers not configured | Low | Microsoft Graph | Requires review |
| PUR-001 | No sensitivity labels deployed NOM-151-SCFI-2016 · 5.1 Integridad | High | Microsoft Graph | Automated |
| PUR-004 | DLP alerts active (data leak risk) CUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlación | High | Microsoft Graph | Automated |
| PUR-005 | Insider risk alerts detected CUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlación | Critical | Microsoft Graph | Requires review |
| TMS-004 | Teams channels shared with external organizations | Medium | Microsoft Graph | Requires review |
| DLP-007 | No sensitivity labels published | High | Microsoft Graph | Automated |
| DLP-008 | Default sensitivity label not configured | Medium | Microsoft Graph | Requires review |
| DLP-009 | Auto-labeling policies not configured | Medium | Microsoft Graph | Requires review |
| DLP-010 | No DLP policy for credit card numbers | High | Microsoft Graph | Requires review |
| DLP-011 | No DLP policy for personal identification numbers (CURP/RFC) | High | Microsoft Graph | Requires review |
| DLP-012 | External sharing in OneDrive set to Anyone | Critical | Microsoft Graph | Requires review |
| DLP-013 | SharePoint external sharing too permissive | High | Microsoft Graph | Requires review |
| DLP-014 | No retention policy for email | Medium | Microsoft Graph | Requires review |
| DLP-015 | No retention policy for Teams messages | Medium | Microsoft Graph | Requires review |
| DLP-016 | Versioning not enabled on document libraries CUB · Art. 168 Bis 11 XII — Detección de alteración de libros/registros digitalesCUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlación | Low | Microsoft Graph | Requires review |
| DLP-017 | No information barriers configured | Low | Microsoft Graph | Requires review |
| Code | Control | Severity | Plane | Coverage |
|---|---|---|---|---|
| DEV-001 | Intune enrollment not required CUB · Art. 168 Bis 12 II — Revisiones anuales de MFA, CA, parches y modificaciones | High | Microsoft Graph | Automated |
| DEV-002 | No device compliance policies CUB · Art. 168 Bis 12 II — Revisiones anuales de MFA, CA, parches y modificaciones | High | Microsoft Graph | Automated |
| DEV-003 | BitLocker not enforced | Medium | Microsoft Graph | Requires review |
| DEV-004 | Personal devices accessing corporate data | Medium | Microsoft Graph | Automated |
| DEV-005 | Windows Update rings not configured | Low | Microsoft Graph | Automated |
| MDM-001 | Non-compliant devices enrolled in Intune CUB · Art. 168 Bis 12 II — Revisiones anuales de MFA, CA, parches y modificaciones | High | Microsoft Graph | Automated |
| MDM-002 | No device compliance policies defined | Critical | Microsoft Graph | Automated |
| MDM-003 | No app protection policies (MAM) | High | Microsoft Graph | Automated |
| MDM-004 | No device configuration profiles deployed | Medium | Microsoft Graph | Automated |
| MDM-005 | Autopilot not configured | Low | Microsoft Graph | Automated |
| MDM-006 | No device enrollment restrictions | Medium | Microsoft Graph | Automated |
| MDM-007 | Windows Hello for Business not configured CUB · Art. 310 IV — Factor de autenticación Categoría 4 (biometría) | Medium | Microsoft Graph | Requires review |
| MDM-008 | No Windows Update rings configured CUB · Art. 168 Bis 12 II — Revisiones anuales de MFA, CA, parches y modificaciones | High | Microsoft Graph | Automated |
| MDM-009 | No app protection policy for iOS/Android | High | Microsoft Graph | Automated |
| MDM-010 | Personal devices not blocked from enrollment | Medium | Microsoft Graph | Requires review |
| MDM-011 | No device compliance policy for jailbroken devices CUB · Art. 168 Bis 12 II — Revisiones anuales de MFA, CA, parches y modificaciones | High | Microsoft Graph | Requires review |
| MDM-012 | Endpoint DLP not configured CUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlación | Medium | Microsoft Graph | Requires review |
| MDM-013 | Attack surface reduction rules not enabled CUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlación | High | Microsoft Graph | Requires review |
| MDM-014 | No Autopilot deployment profile | Low | Microsoft Graph | Requires review |
| MDM-015 | Defender for Endpoint not onboarded CUB · Art. 168 Bis 11 IX — Gestión de incidentesCUB · Art. 168 Bis 12 IX — Threat hunting (phishing, suplantación, ATM/POS) | Critical | Microsoft Graph | Automated |
| Code | Control | Severity | Plane | Coverage |
|---|---|---|---|---|
| APP-001 | OAuth app consents not reviewed | High | Microsoft Graph | Requires review |
| APP-002 | Users can consent to apps without admin approval | Critical | Microsoft Graph | Requires review |
| APP-003 | Enterprise apps with excessive API permissions | High | Microsoft Graph | Requires review |
| APP-004 | Unverified publisher apps allowed | Medium | Microsoft Graph | Requires review |
| APP-005 | App registration not restricted | Medium | Microsoft Graph | Conditional |
| PWR-001 | No DLP policies for Power Platform connectors | High | Microsoft Graph | Requires review |
| PWR-003 | Power Apps shared with entire organization | Medium | Microsoft Graph | Requires review |
| TMS-005 | External access (federation) not restricted in Teams | High | Microsoft Graph | Requires review |
| TMS-006 | Guest access enabled in Teams without restrictions | Medium | Microsoft Graph | Requires review |
| TMS-007 | Unmanaged apps allowed in Teams | Medium | Microsoft Graph | Requires review |
| TMS-008 | Anonymous users can join meetings | Medium | Microsoft Graph | Requires review |
| TMS-009 | No Teams meeting recording policy | Low | Microsoft Graph | Requires review |
| TMS-010 | Teams file sharing with external users unrestricted | High | Microsoft Graph | Requires review |
| TMS-011 | No lobby policy for external participants | Medium | Microsoft Graph | Requires review |
| APP-006 | No app consent policy requiring admin approval | High | Microsoft Graph | Requires review |
| APP-007 | Integrated apps not reviewed in 90 days | Medium | Microsoft Graph | Automated |
| APP-008 | Service principals with excessive permissions CUB · Art. 168 Bis 11 VI (c) — Rotación de credenciales aplicativo-a-aplicativoCUB · Art. 168 Bis 14 IV — Verificación anual de asignación + registro de excepciones | High | Microsoft Graph | Requires review |
| APP-009 | No app protection policy for managed apps | Medium | Microsoft Graph | Automated |
| APP-010 | Power Apps environment sharing too permissive CUB · Art. 168 Bis 14 IV — Verificación anual de asignación + registro de excepciones | Medium | Microsoft Graph | Requires review |
| APP-011 | Power Automate flows running as service accounts | Medium | Microsoft Graph | Requires review |
| Code | Control | Severity | Plane | Coverage |
|---|---|---|---|---|
| AUD-001 | Unified audit log not enabled Reglamento LFPDPPP · Artículo 57 — Medidas de Seguridad — Control de AccesoCUB · Art. 168 Bis 11 VIII — Registros de auditoría íntegros | Critical | Microsoft Graph | Requires review |
| AUD-002 | No alert policies configured Reglamento LFPDPPP · Artículo 60 — Medidas CorrectivasCUB · Art. 168 Bis 11 IX — Gestión de incidentes | High | Microsoft Graph | Requires review |
| AUD-003 | Retention policies not meeting compliance CUB · Art. 168 Bis 11 VIII — Registros de auditoría íntegrosCUB · Art. 168 Bis 17 — Registro de incidentes 10 añosNOM-151-SCFI-2016 · 5.1 Integridad | Medium | Microsoft Graph | Automated |
| AUD-004 | eDiscovery not configured | Low | Microsoft Graph | Automated |
| AUD-005 | Admin activity logging gaps CUB · Art. 168 Bis 11 VIII — Registros de auditoría íntegros | Medium | Microsoft Graph | Automated |
| PUR-002 | No retention labels configured CUB · Art. 168 Bis 11 XII — Detección de alteración de libros/registros digitales | High | Microsoft Graph | Automated |
| PUR-003 | No eDiscovery cases — incident readiness gap | Low | Microsoft Graph | Automated |
| SEN-001 | Microsoft Sentinel not deployed Reglamento LFPDPPP · Artículo 60 — Medidas CorrectivasCUB · Art. 168 Bis 11 IX — Gestión de incidentesCUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlaciónCUB · Art. 168 Bis 14 VI — Ciclo NIST CSF (identify/protect/detect/respond/recover) | High | Azure Resource Manager | Automated |
| SEN-002 | No Sentinel analytics rules enabled CUB · Art. 168 Bis 11 VI (f) — Autenticación entre componentes + detección de transacciones atípicasCUB · Art. 168 Bis 11 IX — Gestión de incidentesCUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlaciónCUB · Art. 168 Bis 12 IX — Threat hunting (phishing, suplantación, ATM/POS)CUB · Art. 168 Bis 14 VI — Ciclo NIST CSF (identify/protect/detect/respond/recover) | Critical | Azure Resource Manager | Conditional |
| SEN-003 | Active high-severity Sentinel incidents CUB · Art. 168 Bis 11 VI (f) — Autenticación entre componentes + detección de transacciones atípicasCUB · Art. 168 Bis 11 IX — Gestión de incidentesCUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlaciónCUB · Art. 168 Bis 12 IX — Threat hunting (phishing, suplantación, ATM/POS)CUB · Art. 168 Bis 14 VI — Ciclo NIST CSF (identify/protect/detect/respond/recover)CUB · Art. 168 Bis 17 — Registro de incidentes 10 años | Critical | Azure Resource Manager | Conditional |
| SEN-004 | No Sentinel automation rules configured CUB · Art. 168 Bis 11 IX — Gestión de incidentesCUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlaciónCUB · Art. 168 Bis 14 VI — Ciclo NIST CSF (identify/protect/detect/respond/recover) | Medium | Azure Resource Manager | Conditional |
| AUD-006 | No audit log retention beyond 90 days CUB · Art. 168 Bis 11 VIII — Registros de auditoría íntegrosCUB · Art. 168 Bis 17 — Registro de incidentes 10 años | High | Microsoft Graph | Automated |
| AUD-007 | No alert policies for suspicious activity CUB · Art. 168 Bis 11 IX — Gestión de incidentes | High | Microsoft Graph | Requires review |
| AUD-008 | No litigation hold configured CUB · Art. 168 Bis 11 XII — Detección de alteración de libros/registros digitales | Medium | Microsoft Graph | Requires review |
| AUD-009 | Admin consent workflow not configured | Medium | Microsoft Graph | Conditional |
| AUD-010 | No customer lockbox enabled | Low | Microsoft Graph | Requires review |
| AUD-011 | Security and compliance center alerts not configured | Medium | Microsoft Graph | Requires review |
| AUD-012 | No insider risk management policy CUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlación | Medium | Microsoft Graph | Requires review |
| AUD-013 | Communication compliance not configured CUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlaciónCUB · Art. 168 Bis 12 VIII — Capacitación y concientización anual | Low | Microsoft Graph | Requires review |
| AUD-014 | Critical audit logs retained less than 3 years (CNBV Art. 168 Bis 11 VIII) CUB · Art. 168 Bis 11 VIII — Registros de auditoría íntegros | High | Microsoft Graph | Conditional |
| AUD-015 | Security incident archive not immutable or retained less than 10 years (CNBV Art. 168 Bis 17) CUB · Art. 168 Bis 17 — Registro de incidentes 10 años | High | Microsoft Graph | Conditional |
| Code | Control | Severity | Plane | Coverage |
|---|---|---|---|---|
| OPS-001 | No Power Automate governance policies | Medium | Microsoft Graph | Requires review |
| OPS-002 | Teams governance not configured | Medium | Microsoft Graph | Requires review |
| OPS-003 | No backup solution for M365 data CUB · Art. 168 Bis 11 VII — Respaldo y recuperación | High | Microsoft Graph | Requires review |
| OPS-004 | Service health monitoring not set up CUB · Art. 168 Bis 11 XIII — SLA de disponibilidad y tiempo de respuesta | Low | Microsoft Graph | Requires review |
| OPS-005 | No incident response runbook CUB · Art. 168 Bis 11 IX — Gestión de incidentes | Medium | Microsoft Graph | Requires review |
| PWR-002 | Power Automate flows running without governance | Medium | Microsoft Graph | Requires review |
| PWR-004 | Multiple Power Platform environments without controls | Medium | Microsoft Graph | Requires review |
| PWR-005 | Power Automate flows lack approval/change control (CNBV Art. 168 Bis 11 XI) CUB · Art. 168 Bis 11 XI — Controles automatizados pre/post operación manual | Medium | Microsoft Graph | Requires review |
| TMS-001 | Teams external access allows all domains | High | Microsoft Graph | Automated |
| TMS-002 | Teams guest access unrestricted | High | Microsoft Graph | Requires review |
| TMS-003 | Teams meeting policy allows anonymous join | Medium | Microsoft Graph | Requires review |
| OPS-006 | No scheduled compliance assessment | Medium | Microsoft Graph | Requires review |
| OPS-007 | No incident response plan documented CUB · Art. 168 Bis 11 IX — Gestión de incidentes | High | Microsoft Graph | Requires review |
| OPS-008 | No security awareness training configured CUB · Art. 168 Bis 12 VIII — Capacitación y concientización anualCUB · Art. 168 Bis 14 X — Capacitación continua del personal | Medium | Microsoft Graph | Requires review |
| OPS-009 | No backup and recovery plan for M365 data CUB · Art. 168 Bis 11 VII — Respaldo y recuperación | High | Microsoft Graph | Requires review |
| OPS-010 | Service health alerts not configured CUB · Art. 168 Bis 11 XIII — SLA de disponibilidad y tiempo de respuesta | Low | Microsoft Graph | Requires review |
| OPS-011 | No cloud app security (MCAS) integration CUB · Art. 168 Bis 11 XIV — Prevención/detección de eventos + DLP + correlación | Medium | Microsoft Graph | Requires review |
| OPS-012 | Privileged access workstation not required for admins | Low | Microsoft Graph | Automated |
| Code | Control | Severity | Plane | Coverage |
|---|---|---|---|---|
| AZR-001 | Defender for Cloud Secure Score below 70% | High | Azure Resource Manager | Automated |
| AZR-002 | NSG with SSH/RDP open to internet | Critical | Azure Resource Manager | Automated |
| AZR-003 | Storage accounts with public blob access | Critical | Azure Resource Manager | Automated |
| AZR-004 | Key Vault without purge protection | High | Azure Resource Manager | Automated |
| AZR-005 | Azure Policy non-compliant resources | High | Azure Resource Manager | Automated |
| AZR-006 | VMs with unmanaged disks | Medium | Azure Resource Manager | Automated |
| AZR-007 | Storage accounts not enforcing TLS 1.2 CUB · Art. 168 Bis 11 VI (b) — CifradoCUB · Art. 168 Bis 11 VI (f) — Autenticación entre componentes + detección de transacciones atípicasCUB · Art. 316 Bis 4 + Art. 168 Bis 11 VI (b) — Cifrado extremo a extremo de factores | High | Azure Resource Manager | Automated |
| AZR-008 | No resource locks on critical resources CUB · Art. 168 Bis 11 VII — Respaldo y recuperación | Medium | Azure Resource Manager | Automated |
| AZR-009 | Unhealthy Defender for Cloud recommendations | High | Azure Resource Manager | Automated |
| AZR-010 | No diagnostic settings for Azure Activity Log CUB · Art. 168 Bis 11 VIII — Registros de auditoría íntegros | Medium | Azure Resource Manager | Automated |
| NET-001 | No Web Application Firewall (WAF) policies | High | Azure Resource Manager | Automated |
| NET-002 | DDoS Protection not enabled on VNets | High | Azure Resource Manager | Automated |
| NET-003 | No Private Endpoints configured | Medium | Azure Resource Manager | Automated |
| NET-004 | Public IP addresses without NSG association | High | Azure Resource Manager | Automated |
| NET-005 | Azure Firewall not deployed | Medium | Azure Resource Manager | Automated |
| NET-006 | Network Watcher not enabled in all regions | Medium | Azure Resource Manager | Automated |
| NET-007 | VPN Gateway not using IKEv2/OpenVPN | Medium | Azure Resource Manager | Automated |
| NET-008 | DNS zones with public delegations | Low | Azure Resource Manager | Conditional |
| CMP-001 | VMs without disk encryption (ADE/SSE-CMK) CUB · Art. 168 Bis 11 VI (b) — CifradoCUB · Art. 316 Bis 4 + Art. 168 Bis 11 VI (b) — Cifrado extremo a extremo de factores | Critical | Azure Resource Manager | Requires review |
| CMP-002 | JIT VM access not enabled | High | Azure Resource Manager | Automated |
| CMP-003 | VMs without managed identity CUB · Art. 168 Bis 11 VI (f) — Autenticación entre componentes + detección de transacciones atípicas | Medium | Azure Resource Manager | Automated |
| CMP-004 | VM extensions with known vulnerabilities | High | Azure Resource Manager | Requires review |
| CMP-005 | Auto-shutdown not configured on dev/test VMs | Low | Azure Resource Manager | Conditional |
| CMP-006 | VM scale sets without health probes | Medium | Azure Resource Manager | Automated |
| CMP-007 | Container registries with admin user enabled | High | Azure Resource Manager | Automated |
| CMP-008 | AKS clusters without RBAC | Critical | Azure Resource Manager | Automated |
| DBS-001 | SQL Server auditing not enabled CUB · Art. 168 Bis 11 VIII — Registros de auditoría íntegros | High | Azure Resource Manager | Conditional |
| DBS-002 | SQL Server firewall allows all Azure services | High | Azure Resource Manager | Conditional |
| DBS-003 | Transparent Data Encryption (TDE) not enabled CUB · Art. 168 Bis 11 VI (b) — CifradoCUB · Art. 316 Bis 4 + Art. 168 Bis 11 VI (b) — Cifrado extremo a extremo de factores | Critical | Azure Resource Manager | Conditional |
| DBS-004 | Cosmos DB without private endpoint | High | Azure Resource Manager | Automated |
| DBS-005 | PostgreSQL flexible server without SSL enforced CUB · Art. 168 Bis 11 VI (b) — CifradoCUB · Art. 316 Bis 4 + Art. 168 Bis 11 VI (b) — Cifrado extremo a extremo de factores | High | Azure Resource Manager | Requires review |
| DBS-006 | MySQL server without SSL enforced CUB · Art. 168 Bis 11 VI (b) — CifradoCUB · Art. 316 Bis 4 + Art. 168 Bis 11 VI (b) — Cifrado extremo a extremo de factores | High | Azure Resource Manager | Requires review |
| DBS-007 | Redis Cache without TLS and authentication CUB · Art. 168 Bis 11 VI (b) — CifradoCUB · Art. 168 Bis 11 VI (f) — Autenticación entre componentes + detección de transacciones atípicasCUB · Art. 316 Bis 4 + Art. 168 Bis 11 VI (b) — Cifrado extremo a extremo de factores | High | Azure Resource Manager | Automated |
| DBS-008 | SQL Advanced Threat Protection not enabled | High | Azure Resource Manager | Conditional |
| GOV-001 | No action groups for Azure Monitor alerts | High | Azure Resource Manager | Automated |
| GOV-002 | Log Analytics workspace not configured CUB · Art. 168 Bis 11 VIII — Registros de auditoría íntegros | High | Azure Resource Manager | Automated |
| GOV-003 | No Azure Monitor metric alerts defined | Medium | Azure Resource Manager | Automated |
| GOV-004 | Resource groups without tagging policy | Medium | Azure Resource Manager | Automated |
| GOV-005 | No Azure Budget alerts configured | Medium | Azure Resource Manager | Automated |
| GOV-006 | Management groups not organized | Low | Azure Resource Manager | Automated |
| GOV-007 | Defender for Cloud auto-provisioning disabled | High | Azure Resource Manager | Automated |
| GOV-008 | No Azure Advisor recommendations reviewed CUB · Art. 168 Bis 11 X — Planeación de capacidad + obsolescencia | Low | Azure Resource Manager | Conditional |
How to read coverage. The scan emits an automated pass/fail verdict. Evaluated only when the relevant resource exists in the tenant (e.g. Azure SQL rules apply only when SQL servers are present); otherwise marked not applicable. The control lives in a plane the read-only scan token cannot reach (Power Platform governance, Teams meeting/federation policy, Exchange/Defender policy state). It is flagged for admin consent or manual review and excluded from the posture score. Control codes (e.g. IAM-001) are stable: they identify the same control across scans and reports.