chore: add azure/network metadata update to changelog

prowler/CHANGELOG.md

@@ -11,6 +11,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Step Functions service metadata to new format [(#9432)](https://github.com/prowler-cloud/prowler/pull/9432)
 - Update AWS Route 53 service metadata to new format [(#9406)](https://github.com/prowler-cloud/prowler/pull/9406)
 - Update AWS SQS service metadata to new format [(#9429)](https://github.com/prowler-cloud/prowler/pull/9429)
+- Update Azure Network service metadata to new format [(#9624)](https://github.com/prowler-cloud/prowler/pull/9624)
+
 
 ---
 

prowler/providers/azure/services/network/network_bastion_host_exists/network_bastion_host_exists.metadata.json

@@ -1,29 +1,42 @@
 {
   "Provider": "azure",
   "CheckID": "network_bastion_host_exists",
-  "CheckTitle": "Ensure an Azure Bastion Host Exists",
+  "CheckTitle": "Azure subscription has at least one Bastion Host",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Network",
-  "Description": "The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service.",
-  "Risk": "The Azure Bastion service allows organizations a more secure means of accessing Azure Virtual Machines over the Internet without assigning public IP addresses to those Virtual Machines. The Azure Bastion service provides Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to Virtual Machines using TLS within a web browser, thus preventing organizations from opening up 3389/TCP and 22/TCP to the Internet on Azure Virtual Machines. Additional benefits of the Bastion service includes Multi-Factor Authentication, Conditional Access Policies, and any other hardening measures configured within Azure Active Directory using a central point of access.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku",
+  "ResourceType": "microsoft.network/bastionhosts",
+  "Description": "Azure subscription contains an **Azure Bastion host** for secure RDP/SSH brokering over TLS on `443/TCP` to virtual machines using private IPs. The assessment identifies whether such a bastion is available.",
+  "Risk": "Absent **Bastion**, admins often assign public IPs or open `22/3389`, expanding attack surface.\n\nThis enables Internet brute force, credential stuffing, and RDP/SSH exploits, leading to unauthorized access, data exfiltration, and lateral movement. CIA impact: confidentiality/integrity loss and potential downtime from ransomware.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/powershell/module/az.network/get-azbastion?view=azps-9.2.0",
+    "https://adamtheautomator.com/azure-bastion/",
+    "https://learn.microsoft.com/en-us/azure/templates/microsoft.network/bastionhosts",
+    "https://medium.com/@jose.ruy.borges/use-bastion-host-to-connect-to-a-vm-without-setting-up-a-vpn-connection-in-azure-9d6fcfbb487a",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/bastion-host-exists.html",
+    "https://platform.qa.com/lab/connecting-to-azure-vm-using-bastion-host/creating-an-azure-bastion-host-using-azure-portal/",
+    "https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku",
+    "https://learn.microsoft.com/en-us/azure/firewall/deploy-ps",
+    "https://github.com/anuyen/terraform-azurerm-bastion"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az network bastion create --location <location> --name <name of bastion host> --public-ip-address <public IP address name or ID> --resource-group <resource group name or ID> --vnet-name <virtual network containing subnet called 'AzureBastionSubnet'> --scale-units <integer> --sku Standard [--disable-copy- paste true|false] [--enable-ip-connect true|false] [--enable-tunneling true|false]",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/bastion-host-exists.html",
-      "Terraform": ""
+      "CLI": "",
+      "NativeIaC": "```bicep\n// Minimal Bicep to ensure at least one Bastion Host exists in the subscription\nparam location string = resourceGroup().location\n\nresource vnet 'Microsoft.Network/virtualNetworks@2022-07-01' = {\n  name: '<example_resource_name>-vnet'\n  location: location\n  properties: {\n    addressSpace: { addressPrefixes: ['10.0.0.0/24'] }\n    subnets: [\n      {\n        name: 'AzureBastionSubnet'\n        properties: { addressPrefix: '10.0.0.0/27' }\n      }\n    ]\n  }\n}\n\nresource pip 'Microsoft.Network/publicIPAddresses@2022-07-01' = {\n  name: '<example_resource_name>-pip'\n  location: location\n  sku: { name: 'Standard' }\n  properties: { publicIPAllocationMethod: 'Static' }\n}\n\nresource bastion 'Microsoft.Network/bastionHosts@2024-10-01' = {\n  name: '<example_resource_name>'\n  location: location\n  sku: { name: 'Basic' }\n  properties: {\n    ipConfigurations: [\n      {\n        name: 'IpConf'\n        properties: {\n          subnet: { id: resourceId('Microsoft.Network/virtualNetworks/subnets', vnet.name, 'AzureBastionSubnet') } // Critical: attaches Bastion to required AzureBastionSubnet so resource can be created\n          publicIPAddress: { id: pip.id } // Critical: associates required Public IP with Bastion\n        }\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Networking > Bastions > Create\n2. Select your Subscription and a Resource group\n3. Enter a Name and Region\n4. Under Virtual network, select an existing VNet or click Create new\n5. Ensure a subnet named AzureBastionSubnet exists with a /27 address space; create it if prompted\n6. For Public IP address, click Create new and accept defaults\n7. Click Review + create, then Create\n8. After deployment completes, the subscription now has a Bastion Host (check passes)",
+      "Terraform": "```hcl\n# Minimal Terraform to create one Bastion Host (fixes FAIL by ensuring existence)\nresource \"azurerm_resource_group\" \"example\" {\n  name     = \"<example_resource_name>\"\n  location = \"eastus\"\n}\n\nresource \"azurerm_virtual_network\" \"example\" {\n  name                = \"<example_resource_name>-vnet\"\n  location            = azurerm_resource_group.example.location\n  resource_group_name = azurerm_resource_group.example.name\n  address_space       = [\"10.0.0.0/24\"]\n}\n\nresource \"azurerm_subnet\" \"bastion\" {\n  name                 = \"AzureBastionSubnet\"\n  resource_group_name  = azurerm_resource_group.example.name\n  virtual_network_name = azurerm_virtual_network.example.name\n  address_prefixes     = [\"10.0.0.0/27\"]\n}\n\nresource \"azurerm_public_ip\" \"example\" {\n  name                = \"<example_resource_name>-pip\"\n  location            = azurerm_resource_group.example.location\n  resource_group_name = azurerm_resource_group.example.name\n  allocation_method   = \"Static\"\n  sku                 = \"Standard\"\n}\n\nresource \"azurerm_bastion_host\" \"example\" {\n  name                = \"<example_resource_name>\"\n  location            = azurerm_resource_group.example.location\n  resource_group_name = azurerm_resource_group.example.name\n\n  # Critical: creating the Bastion Host resource is what changes the check to PASS\n  sku = \"Basic\"  # Critical: required for Bastion creation\n\n  ip_configuration {                     \n    name                 = \"IpConf\"\n    subnet_id            = azurerm_subnet.bastion.id            # Critical: attaches Bastion to AzureBastionSubnet\n    public_ip_address_id = azurerm_public_ip.example.id         # Critical: associates required Public IP\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "From Azure Portal* 1. Click on Bastions 2. Select the Subscription 3. Select the Resource group 4. Type a Name for the new Bastion host 5. Select a Region 6. Choose Standard next to Tier 7. Use the slider to set the Instance count 8. Select the Virtual network or Create new 9. Select the Subnet named AzureBastionSubnet. Create a Subnet named AzureBastionSubnet using a /26 CIDR range if it doesn't already exist. 10. Selct the appropriate Public IP address option. 11. If Create new is selected for the Public IP address option, provide a Public IP address name. 12. If Use existing is selected for Public IP address option, select an IP address from Choose public IP address 13. Click Next: Tags > 14. Configure the appropriate Tags 15. Click Next: Advanced > 16. Select the appropriate Advanced options 17. Click Next: Review + create > 18. Click Create From Azure CLI az network bastion create --location <location> --name <name of bastion host> --public-ip-address <public IP address name or ID> --resource-group <resource group name or ID> --vnet-name <virtual network containing subnet called 'AzureBastionSubnet'> --scale-units <integer> --sku Standard [--disable-copy- paste true|false] [--enable-ip-connect true|false] [--enable-tunneling true|false] From PowerShell Create the appropriate Virtual network settings and Public IP Address settings. $subnetName = 'AzureBastionSubnet' $subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix <IP address range in CIDR notation making sure to use a /26> $virtualNet = New-AzVirtualNetwork -Name <virtual network name> - ResourceGroupName <resource group name> -Location <location> -AddressPrefix <IP address range in CIDR notation> -Subnet $subnet $publicip = New-AzPublicIpAddress -ResourceGroupName <resource group name> - Name <public IP address name> -Location <location> -AllocationMethod Dynamic -Sku Standard",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/az.network/get-azbastion?view=azps-9.2.0"
+      "Text": "Standardize on **Azure Bastion** for admin access.\n\nRemove VM public IPs and deny inbound `22`/`3389` via perimeter controls and NSGs. Apply **least privilege** and just-in-time access, integrate **Entra ID** with **MFA** and conditional access, monitor sessions/logs, and segment networks so only Bastion can reach management ports.",
+      "Url": "https://hub.prowler.com/check/network_bastion_host_exists"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "The Azure Bastion service incurs additional costs and requires a specific virtual network configuration. The Standard tier offers additional configuration options compared to the Basic tier and may incur additional costs for those added features."

prowler/providers/azure/services/network/network_flow_log_captured_sent/network_flow_log_captured_sent.metadata.json

@@ -1,29 +1,36 @@
 {
   "Provider": "azure",
   "CheckID": "network_flow_log_captured_sent",
-  "CheckTitle": "Ensure that network flow logs are captured and fed into a central log analytics workspace.",
+  "CheckTitle": "Network Watcher has flow logs enabled and sent to a Log Analytics workspace",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Network",
-  "Description": "Ensure that network flow logs are captured and fed into a central log analytics workspace.",
-  "Risk": "Network Flow Logs provide valuable insight into the flow of traffic around your network and feed into both Azure Monitor and Azure Sentinel (if in use), permitting the generation of visual flow diagrams to aid with analyzing for lateral movement, etc.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation",
+  "ResourceType": "microsoft.network/networkwatchers",
+  "Description": "**Azure Network Watcher** has **NSG flow logs** enabled and configured to forward traffic records to a centralized **Log Analytics workspace**",
+  "Risk": "Missing or disabled flow logging blinds visibility into network behavior, hindering detection of:\n- **Lateral movement** and internal scanning\n- **C2 beacons** and exfiltration patterns\nThis degrades incident response and correlation, impacting **confidentiality** and **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal",
+    "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-4-enable-network-logging-for-security-investigation"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az network watcher flow-log configure -g <RESOURCE_GROUP> --nsg <NSG_NAME> --location <REGION> --enabled true --storage-account <STORAGE_ACCOUNT_NAME> --traffic-analytics true --workspace <LOG_ANALYTICS_WORKSPACE_ID> --workspace-region <WORKSPACE_REGION>",
+      "NativeIaC": "```bicep\n// Enable NSG flow logs and send to Log Analytics\nresource flowLog 'Microsoft.Network/networkWatchers/flowLogs@2022-09-01' = {\n  name: '<example_resource_name>/<example_resource_name>'\n  location: '<REGION>'\n  properties: {\n    enabled: true // CRITICAL: turns on flow logs\n    targetResourceId: '<example_resource_id>' // NSG resource ID\n    storageId: '<example_resource_id>' // required for NSG flow logs\n    flowAnalyticsConfiguration: {\n      networkWatcherFlowAnalyticsConfiguration: {\n        enabled: true // CRITICAL: sends flow logs to Log Analytics\n        workspaceResourceId: '<example_resource_id>' // Log Analytics workspace resource ID\n      }\n    }\n  }\n}\n```",
+      "Other": "1. In Azure portal, go to Network Watcher > Flow logs\n2. Click + Create (or Create flow log)\n3. Select the target NSG and region\n4. Set Status to On\n5. Select a Storage account\n6. Enable Traffic analytics, then select your Log Analytics workspace\n7. Click Review + create, then Create",
+      "Terraform": "```hcl\n# Enable NSG flow logs and send to Log Analytics\nresource \"azurerm_network_watcher_flow_log\" \"<example_resource_name>\" {\n  network_watcher_name       = \"<example_resource_name>\"\n  resource_group_name        = \"<example_resource_name>\"\n  network_security_group_id  = \"<example_resource_id>\"\n  storage_account_id         = \"<example_resource_id>\"\n\n  enabled = true # CRITICAL: turns on flow logs\n\n  traffic_analytics {        \n    enabled                = true # CRITICAL: sends flow logs to Log Analytics\n    workspace_id           = \"<example_resource_id>\"      # workspace_id (GUID) or use data source\n    workspace_region       = \"<REGION>\"\n    workspace_resource_id  = \"<example_resource_id>\"      # Log Analytics workspace resource ID\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "1. Navigate to Network Watcher. 2. Select NSG flow logs. 3. Select + Create. 4. Select the desired Subscription. 5. Select + Select NSG. 6. Select a network security group. 7. Click Confirm selection. 8. Select or create a new Storage Account. 9. Input the retention in days to retain the log. 10. Click Next. 11. Under Configuration, select Version 2. 12. If rich analytics are required, select Enable Traffic Analytics, a processing interval, and a Log Analytics Workspace. 13. Select Next. 14. Optionally add Tags. 15. Select Review + create. 16. Select Create. Warning The remediation policy creates remediation deployment and names them by concatenating the subscription name and the resource group name. The MAXIMUM permitted length of a deployment name is 64 characters. Exceeding this will cause the remediation task to fail.",
-      "Url": "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal"
+      "Text": "Enable and centrally aggregate **NSG flow logs** to a **Log Analytics workspace**.\n\n- Enforce least privilege on log data\n- Define retention and secure storage\n- Use layered monitoring (e.g., Traffic Analytics)\n- Ensure coverage across regions/subscriptions and critical NSGs",
+      "Url": "https://hub.prowler.com/check/network_flow_log_captured_sent"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "The impact of configuring NSG Flow logs is primarily one of cost and configuration. If deployed, it will create storage accounts that hold minimal amounts of data on a 5-day lifecycle before feeding to Log Analytics Workspace. This will increase the amount of data stored and used by Azure Monitor."

prowler/providers/azure/services/network/network_flow_log_more_than_90_days/network_flow_log_more_than_90_days.metadata.json

@@ -1,29 +1,43 @@
 {
   "Provider": "azure",
   "CheckID": "network_flow_log_more_than_90_days",
-  "CheckTitle": "Ensure that Network Security Group Flow Log retention period is 0, 90 days or greater",
+  "CheckTitle": "Network Watcher has all flow logs enabled with retention set to 0 or at least 90 days",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Network",
-  "Description": "Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days.",
-  "Risk": "Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.",
-  "RelatedUrl": " https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview",
+  "ResourceType": "microsoft.network/networkwatchers",
+  "Description": "**NSG flow logs** in Azure Network Watcher are configured and retained for at least `90` days (or `0` for unlimited). The evaluation checks that flow logging is enabled and that the retention policy meets the required duration for each configured log.",
+  "Risk": "Absent or short-retained **NSG flow logs** reduce visibility into IP flows, delaying detection of port scans, brute force, data exfiltration, and lateral movement.\n\nForensics and accountability degrade, threatening **confidentiality** and **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/sufficient-nsg-flow-log-retention-period.html",
+    "https://cloud-kb.sentinelone.com/nsg-flow-logs-retention-period",
+    "https://docs.microsoft.com/en-us/cli/azure/network/watcher/flow-log?view=azure-cli-latest",
+    "https://docs.prowler.com/checks/azure/azure-logging-policies/bc_azr_logging_1/",
+    "https://docs.prowler.com/checks/azure/azure-logging-policies/bc_azr_logging_1#terraform",
+    "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Network/sufficient-nsg-flow-log-retention-period.html",
+    "https://github.com/MicrosoftDocs/azure-docs/issues/69518",
+    "https://support.icompaas.com/support/solutions/articles/62000229906-ensure-that-network-security-group-flow-log-retention-period-is-greater-than-90-days-"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "az network watcher flow-log configure --nsg <NameorID of the Network Security Group> --enabled true --resource-group <resourceGroupName> --retention 91 -- storage-account <NameorID of the storage account to save flow logs>",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/sufficient-nsg-flow-log-retention-period.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-logging-policies/bc_azr_logging_1#terraform"
+      "CLI": "az network watcher flow-log create --location <LOCATION> --name <example_resource_name> --nsg <example_resource_id> --storage-account <example_resource_id> --retention 90",
+      "NativeIaC": "```bicep\n// Enable NSG flow logs with retention >= 90 days\nresource flowlog 'Microsoft.Network/networkWatchers/flowLogs@2023-09-01' = {\n  name: '<example_resource_name>/<example_resource_name>'\n  location: '<LOCATION>'\n  properties: {\n    targetResourceId: '<example_resource_id>'\n    storageId: '<example_resource_id>'\n    enabled: true           // critical: turns on flow logs\n    retentionPolicy: {\n      enabled: true         // critical: activates retention policy\n      days: 90              // critical: 0 (unlimited) or >= 90 to pass\n    }\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Network Watcher > NSG flow logs\n2. Select the NSG to configure\n3. Set Status to On\n4. Set Retention (days) to 0 (unlimited) or at least 90\n5. Select a Storage account\n6. Click Save",
+      "Terraform": "```hcl\n# Enable NSG flow logs with retention >= 90 days\nresource \"azurerm_network_watcher_flow_log\" \"<example_resource_name>\" {\n  name                 = \"<example_resource_name>\"\n  network_watcher_name = \"<example_resource_name>\"\n  resource_group_name  = \"<example_resource_name>\"\n  target_resource_id   = \"<example_resource_id>\"\n  storage_account_id   = \"<example_resource_id>\"\n\n  enabled = true  # critical: turns on flow logs\n\n  retention_policy {\n    enabled = true # critical: activates retention policy\n    days    = 90   # critical: 0 (unlimited) or >= 90 to pass\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "From Azure Portal 1. Go to Network Watcher 2. Select NSG flow logs blade in the Logs section 3. Select each Network Security Group from the list 4. Ensure Status is set to On 5. Ensure Retention (days) setting greater than 90 days 6. Select your storage account in the Storage account field 7. Select Save From Azure CLI Enable the NSG flow logs and set the Retention (days) to greater than or equal to 90 days. az network watcher flow-log configure --nsg <NameorID of the Network Security Group> --enabled true --resource-group <resourceGroupName> --retention 91 --storage-account <NameorID of the storage account to save flow logs>",
-      "Url": "https://docs.microsoft.com/en-us/cli/azure/network/watcher/flow-log?view=azure-cli-latest"
+      "Text": "Enable **NSG flow logs** and keep retention  `90` days (`0` for unlimited). Restrict and monitor access to logs, store immutably, and stream to a SIEM to detect anomalies. Apply **defense in depth** and **least privilege**. Plan migration to **Virtual network flow logs** as NSG flow logs are being retired.",
+      "Url": "https://hub.prowler.com/check/network_flow_log_more_than_90_days"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "This will keep IP traffic logs for longer than 90 days. As a level 2, first determine your need to retain data, then apply your selection here. As this is data stored for longer, your monthly storage costs will increase depending on your data use."

prowler/providers/azure/services/network/network_http_internet_access_restricted/network_http_internet_access_restricted.metadata.json

@@ -1,29 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "network_http_internet_access_restricted",
-  "CheckTitle": "Ensure that HTTP(S) access from the Internet is evaluated and restricted",
+  "CheckTitle": "Network security group restricts inbound HTTP (port 80) access from the Internet",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "Network",
-  "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.",
-  "Risk": "The potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries",
+  "Severity": "medium",
+  "ResourceType": "microsoft.network/networksecuritygroups",
+  "Description": "**Azure Network Security Groups** are evaluated for inbound rules that allow public **HTTP** access on `TCP 80`, including cases where `80` is covered by a port range, from `0.0.0.0/0`, `Internet`, or `*`.",
+  "Risk": "Exposing `TCP 80` to the Internet increases attack surface:\n- Web recon and exploits compromise **integrity** and **availability**\n- Cleartext HTTP can leak credentials, cookies, and data, harming **confidentiality**\n- Public endpoints enable bot abuse and footholds for lateral movement",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://dev.to/buzzgk/azure-network-security-groups-nsgs-securing-your-azure-virtual-network-1kf8",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-http-access.html",
+    "https://notes.51sec.org/Collections/29157b51-1fff-4d97-9b63-22d4cc98efe1",
+    "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-http-access.html",
-      "Terraform": ""
+      "CLI": "az network nsg rule update --resource-group <RESOURCE_GROUP> --nsg-name <NSG_NAME> --name <RULE_NAME> --access Deny",
+      "NativeIaC": "```bicep\n// Deny inbound HTTP from Internet on an existing NSG\nresource nsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource denyHttp 'Microsoft.Network/networkSecurityGroups/securityRules@2023-09-01' = {\n  name: '${nsg.name}/Deny-HTTP-Internet'\n  properties: {\n    priority: 100\n    direction: 'Inbound'\n    access: 'Deny'                 // CRITICAL: Denies the HTTP rule so it no longer allows Internet traffic\n    protocol: 'Tcp'\n    sourceAddressPrefix: 'Internet' // CRITICAL: Targets traffic coming from the Internet\n    destinationAddressPrefix: '*'\n    sourcePortRange: '*'\n    destinationPortRange: '80'      // CRITICAL: Blocks port 80 (HTTP)\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Network Security Groups and select your NSG\n2. Open Inbound security rules\n3. Find any rule with Action Allow, Protocol TCP or Any, Destination port 80 (or range including 80), and Source Internet/*/0.0.0.0/0\n4. Select the rule and click Edit\n5. Change Action to Deny (or delete the rule)\n6. Click Save",
+      "Terraform": "```hcl\n# Deny inbound HTTP from Internet on an existing NSG\nresource \"azurerm_network_security_rule\" \"deny_http_internet\" {\n  name                        = \"deny-http-internet\"\n  resource_group_name         = \"<example_resource_name>\"\n  network_security_group_name = \"<example_resource_name>\"\n  priority                    = 100\n  direction                   = \"Inbound\"\n  access                      = \"Deny\"           # CRITICAL: Deny so HTTP from Internet is not allowed\n  protocol                    = \"Tcp\"\n  source_address_prefix       = \"Internet\"       # CRITICAL: Matches traffic from the Internet\n  destination_address_prefix  = \"*\"\n  source_port_range           = \"*\"\n  destination_port_range      = \"80\"             # CRITICAL: Blocks port 80 (HTTP)\n}\n```"
     },
     "Recommendation": {
-      "Text": "Where HTTP(S) is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: ExpressRoute Site-to-site VPN Point-to-site VPN",
-      "Url": ""
+      "Text": "Apply **least privilege** at NSGs:\n- Remove broad allows to `TCP 80`, or restrict to trusted sources\n- Enforce **HTTPS (443)** and redirect or block HTTP\n- Use **private access** patterns and segmentation for **defense in depth**\n- If exposure is necessary, place services behind a **WAF**, enable **DDoS** protections, and monitor",
+      "Url": "https://hub.prowler.com/check/network_http_internet_access_restricted"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/network/network_public_ip_shodan/network_public_ip_shodan.metadata.json

@@ -1,26 +1,30 @@
 {
   "Provider": "azure",
   "CheckID": "network_public_ip_shodan",
-  "CheckTitle": "Check if an Azure Public IP is exposed in Shodan (requires Shodan API KEY).",
+  "CheckTitle": "Azure public IP address is not listed in Shodan",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Network",
-  "Description": "Check if an Azure Public IP is exposed in Shodan (requires Shodan API KEY).",
-  "Risk": "If an Azure Public IP is exposed in Shodan, it can be accessed by anyone on the internet. This can lead to unauthorized access to your resources.",
+  "ResourceType": "microsoft.network/publicipaddresses",
+  "Description": "Azure Public IP addresses detected as **indexed by Shodan**, indicating Internet-visible services with open `ports` and service banner metadata.",
+  "Risk": "Shodan-visible IPs are easy to discover and target, elevating risks to **confidentiality** and **integrity**. Adversaries can enumerate banners, probe open ports, brute-force access, and exploit known CVEs, enabling unauthorized entry, data exfiltration, and lateral movement.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.shodan.io/",
+    "https://cqr.company/blog/external-attack-surface-audit-how-fofa-shodan-and-censys-help-you-find-forgotten-services-and-leaks/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az network public-ip delete --resource-group <RESOURCE_GROUP> --name <PUBLIC_IP_NAME>",
+      "NativeIaC": "```bicep\n// Remove public exposure by NOT associating a public IP\nresource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' existing = {\n  name: '<example_vnet_name>/<example_subnet_name>'\n}\n\nresource nic 'Microsoft.Network/networkInterfaces@2023-11-01' = {\n  name: '<example_resource_name>'\n  location: resourceGroup().location\n  properties: {\n    ipConfigurations: [\n      {\n        name: 'ipconfig1'\n        properties: {\n          privateIPAllocationMethod: 'Dynamic'\n          subnet: { id: subnet.id }\n          // CRITICAL: No 'publicIPAddress' property -> NIC has no public IP, preventing Shodan listing\n        }\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Public IP addresses and select the affected IP\n2. Click Dissociate and confirm to remove it from the attached resource\n3. Click Delete to remove the Public IP from your subscription",
+      "Terraform": "```hcl\n# NIC without a public IP association\nresource \"azurerm_network_interface\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  location            = \"<LOCATION>\"\n  resource_group_name = \"<RESOURCE_GROUP>\"\n\n  ip_configuration {\n    name                          = \"ipconfig1\"\n    subnet_id                     = \"<example_resource_id>\"\n    private_ip_address_allocation = \"Dynamic\"\n    # CRITICAL: Omit public_ip_address_id -> no public IP, preventing Shodan listing\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Check Identified IPs, Consider changing them to private ones and delete them from Shodan.",
-      "Url": "https://www.shodan.io/"
+      "Text": "Minimize **public exposure**: prefer **private endpoints** or VPN/bastion, restrict ingress per least privilege (avoid `0.0.0.0/0`), close unused ports, patch and harden services, and apply defense-in-depth segmentation. Continuously inventory public IPs and rotate them if sensitive banners were exposed.",
+      "Url": "https://hub.prowler.com/check/network_public_ip_shodan"
     }
   },
   "Categories": [

prowler/providers/azure/services/network/network_rdp_internet_access_restricted/network_rdp_internet_access_restricted.metadata.json

@@ -1,29 +1,43 @@
 {
   "Provider": "azure",
   "CheckID": "network_rdp_internet_access_restricted",
-  "CheckTitle": "Ensure that RDP access from the Internet is evaluated and restricted",
+  "CheckTitle": "Network security group does not allow inbound RDP (TCP 3389) from the Internet",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Network",
-  "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.",
-  "Risk": "The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines",
+  "ResourceType": "microsoft.network/networksecuritygroups",
+  "Description": "**Azure NSG inbound rules** are evaluated for **public RDP exposure**. The finding flags rules that `Allow` `TCP` traffic to `port 3389` from broad sources like `0.0.0.0/0`, `Internet`, or `*`, including ranges that cover `3389`.",
+  "Risk": "Exposed **RDP** enables Internet-wide **brute force** and **credential stuffing**, risking unauthorized console access.\n\nCompromise can cause data theft (**confidentiality**), tampering or malware deployment (**integrity**), VM lockout or disruption (**availability**), and **lateral movement** within the VNet.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-rdp-access.html#",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Network/unrestricted-rdp-access.html",
+    "https://learn.microsoft.com/en-za/answers/questions/1374791/policy-to-block-the-creation-of-nsgs-with-rules-th",
+    "https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines",
+    "https://vaggeliskappas.com/2015/06/01/secure-azure-virtual-network-using-network-security-groups/",
+    "https://docs.prowler.com/checks/azure/azure-networking-policies/bc_azr_networking_2#terraform",
+    "https://github.com/Azure/azure-policy/issues/305",
+    "https://praveenkumarsreeram.com/2020/09/10/azure-virtual-machines-restrict-remote-desktop-access-to-an-ip-address-using-network-security-groups/",
+    "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries",
+    "https://stackoverflow.com/questions/78860454/azure-policy-to-prevent-overly-permissive-nsg-rules-being-created"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-rdp-access.html#",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/bc_azr_networking_2#terraform"
+      "CLI": "az network nsg rule delete --resource-group <RESOURCE_GROUP> --nsg-name <example_resource_name> --name <RDP_RULE_NAME>",
+      "NativeIaC": "```bicep\n// NSG with RDP allowed only from a restricted CIDR (not Internet)\nresource nsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {\n  name: '<example_resource_name>'\n  location: '<region>'\n  properties: {\n    securityRules: [\n      {\n        name: 'Allow-RDP-Restricted'\n        properties: {\n          priority: 100\n          direction: 'Inbound'\n          access: 'Allow'\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          destinationPortRange: '3389'\n          destinationAddressPrefix: '*'\n          sourceAddressPrefix: '<AUTHORIZED_CIDR>' // CRITICAL: restrict source; not \"Internet\", \"*\", or \"0.0.0.0/0\" to pass the check\n        }\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Network Security Groups and open the NSG attached to the resource\n2. Select Inbound security rules\n3. Find any rule that allows TCP 3389 with Source set to Any/Internet/*/0.0.0.0/0\n4. Delete the rule, or edit it and set Source to a specific IP/CIDR (e.g., <AUTHORIZED_CIDR>)\n5. Save",
+      "Terraform": "```hcl\n# NSG with RDP allowed only from a restricted CIDR (not Internet)\nresource \"azurerm_network_security_group\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  location            = \"<region>\"\n  resource_group_name = \"<example_resource_name>\"\n\n  security_rule {\n    name                       = \"Allow-RDP-Restricted\"\n    priority                   = 100\n    direction                  = \"Inbound\"\n    access                     = \"Allow\"\n    protocol                   = \"Tcp\"\n    source_port_range          = \"*\"\n    destination_port_range     = \"3389\"\n    destination_address_prefix = \"*\"\n    source_address_prefix      = \"<AUTHORIZED_CIDR>\" # CRITICAL: restrict source; not \"*\", \"Internet\", or \"0.0.0.0/0\" so the check passes\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Where RDP is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: ExpressRoute Site-to-site VPN Point-to-site VPN",
-      "Url": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries"
+      "Text": "Enforce **least privilege** for remote admin:\n- Remove `Allow` to `3389` from `0.0.0.0/0`\n- Limit access to fixed IPs or private networks\n- Prefer Azure Bastion, JIT, or VPN/ExpressRoute\n- Harden auth (strong keys, MFA) and monitor\n\nAdopt **zero trust** and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/network_rdp_internet_access_restricted"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/network/network_ssh_internet_access_restricted/network_ssh_internet_access_restricted.metadata.json

@@ -1,29 +1,43 @@
 {
   "Provider": "azure",
   "CheckID": "network_ssh_internet_access_restricted",
-  "CheckTitle": "Ensure that SSH access from the Internet is evaluated and restricted",
+  "CheckTitle": "Network security group does not allow inbound SSH (TCP port 22) from the Internet",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Network",
-  "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.",
-  "Risk": "The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines",
+  "ResourceType": "microsoft.network/networksecuritygroups",
+  "Description": "**Azure NSG** inbound rules that allow **SSH** on `TCP 22` from `0.0.0.0/0`, `Internet`, or `*` are identified, including rules where port ranges include `22` and protocol is `TCP` or `*`.\n\nIndicates NSGs exposing SSH to the Internet.",
+  "Risk": "Public **SSH** access weakens **confidentiality** and **integrity**. Open `22` invites brute force and key theft, enabling remote shell control, persistence, and **lateral movement**. Attackers can pivot into VNets, exfiltrate data, deploy crypto-miners, and impact **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.techbloat.com/terraform-azurerm-network-security-group.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Network/unrestricted-ssh-access.html",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-ssh-access.html",
+    "https://www.mantra-networking.com/azure-nsgs/",
+    "https://docs.prowler.com/checks/azure/azure-networking-policies/bc_azr_networking_3#terraform",
+    "https://github.com/Gautam01Dev/Azure-Network",
+    "https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines",
+    "https://dev.to/charlie_barajas_353e28103/azure-nsg-routes-3k7a",
+    "https://stackoverflow.com/questions/35780769/changing-ssh-port-22-to-a-custom-port-in-azure-resource-group-vm",
+    "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-ssh-access.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/bc_azr_networking_3#terraform"
+      "CLI": "az network nsg rule delete --resource-group <RESOURCE_GROUP> --nsg-name <NSG_NAME> --name <RULE_NAME>",
+      "NativeIaC": "```bicep\n// NSG allowing SSH only from a specific source (not the Internet)\nresource <example_resource_name> 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {\n  name: '<example_resource_name>'\n  location: '<location>'\n  properties: {\n    securityRules: [\n      {\n        name: '<example_rule_name>'\n        properties: {\n          priority: 100\n          direction: 'Inbound'\n          access: 'Allow'\n          protocol: 'Tcp'\n          sourcePortRange: '*'\n          destinationPortRange: '22'\n          sourceAddressPrefix: '<ALLOWED_CIDR>' // CRITICAL: restrict SSH source; not Internet/*/0.0.0.0/0\n          destinationAddressPrefix: '*'\n        }\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Network security groups and open <NSG_NAME>\n2. Select Inbound security rules\n3. Find any rule that allows TCP 22 from Internet/Any/0.0.0.0/0\n4. Delete the rule, or Edit it and set Source to IP Addresses with only your allowed CIDR(s)\n5. Save",
+      "Terraform": "```hcl\n# Restrict SSH to a specific source so port 22 is not open to the Internet\nresource \"azurerm_network_security_rule\" \"<example_resource_name>\" {\n  name                        = \"<example_rule_name>\"\n  resource_group_name         = \"<example_resource_name>\"\n  network_security_group_name = \"<example_resource_name>\"\n  priority                    = 100\n  direction                   = \"Inbound\"\n  access                      = \"Allow\"\n  protocol                    = \"Tcp\"\n  source_port_range           = \"*\"\n  destination_port_range      = \"22\"\n  source_address_prefix       = \"<ALLOWED_CIDR>\" # CRITICAL: restrict SSH source; not Internet/*/0.0.0.0/0\n  destination_address_prefix  = \"*\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "Where SSH is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: ExpressRoute Site-to-site VPN Point-to-site VPN",
-      "Url": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-1-establish-network-segmentation-boundaries"
+      "Text": "Apply **least privilege** on SSH:\n- Remove public rules to `TCP 22` from `0.0.0.0/0`\n- Allowlist specific admin IPs or management subnets\n- Prefer **Azure Bastion**, **JIT access**, or **VPN/ExpressRoute** for admin\n- Use key-based auth, disable passwords, and remove unnecessary public IPs\n\nAdopt **defense in depth** with logging and periodic reviews.",
+      "Url": "https://hub.prowler.com/check/network_ssh_internet_access_restricted"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/network/network_udp_internet_access_restricted/network_udp_internet_access_restricted.metadata.json

@@ -1,29 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "network_udp_internet_access_restricted",
-  "CheckTitle": "Ensure that UDP access from the Internet is evaluated and restricted",
+  "CheckTitle": "Network security group does not allow inbound UDP from the Internet",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Network",
-  "Description": "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.",
-  "Risk": "The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP and other UDP-based services as amplification sources for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks",
+  "ResourceType": "microsoft.network/networksecuritygroups",
+  "Description": "Network Security Group rules are assessed for **inbound UDP** exposure to the public Internet (e.g., `0.0.0.0/0`, `*`, `Internet`). The finding identifies allow rules that permit unsolicited **UDP** traffic from any external source to attached resources.",
+  "Risk": "Publicly reachable **UDP** services enable **DDoS reflection/amplification**, exhausting bandwidth and compute and degrading **availability** for workloads and networks. Open services (DNS, NTP, SSDP, SNMP, CLDAP) can be abused with spoofed traffic, turning endpoints into amplifiers and disrupting adjacent resources.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices",
+    "https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks",
+    "https://docs.prowler.com/checks/azure/azure-networking-policies/ensure-that-udp-services-are-restricted-from-the-internet#terraform",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-udp-access.html#"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/unrestricted-udp-access.html#",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/ensure-that-udp-services-are-restricted-from-the-internet#terraform"
+      "CLI": "az network nsg rule update --resource-group <RESOURCE_GROUP> --nsg-name <NSG_NAME> --name <RULE_NAME> --access Deny",
+      "NativeIaC": "```bicep\n// Update the existing NSG rule to block UDP from the Internet\nresource nsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' existing = {\n  name: '<example_resource_name>'\n}\n\nresource rule 'Microsoft.Network/networkSecurityGroups/securityRules@2023-09-01' = {\n  name: '${nsg.name}/<example_resource_name>'\n  properties: {\n    priority: 100\n    direction: 'Inbound'\n    access: 'Deny' // CRITICAL: Change access to Deny so UDP from Internet is not allowed\n    protocol: 'Udp'\n    sourceAddressPrefix: '*'\n    destinationAddressPrefix: '*'\n    sourcePortRange: '*'\n    destinationPortRange: '*'\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Network security groups and open the NSG attached to the resource\n2. Select Inbound security rules\n3. Find any rule with Protocol = UDP, Direction = Inbound, Action = Allow, and Source set to Any/Internet/0.0.0.0/0\n4. Click the rule, set Action to Deny (or change Source to a specific trusted range), then Save\n5. Repeat for any remaining UDP Allow rules from the Internet",
+      "Terraform": "```hcl\n# Modify the existing NSG rule to deny UDP from the Internet\nresource \"azurerm_network_security_rule\" \"<example_resource_name>\" {\n  name                        = \"<example_resource_name>\"  # existing rule name\n  resource_group_name         = \"<example_resource_name>\"\n  network_security_group_name = \"<example_resource_name>\"\n  priority                    = 100\n  direction                   = \"Inbound\"\n  access                      = \"Deny\" # CRITICAL: Change access to Deny to remove the Allow condition\n  protocol                    = \"Udp\"\n  source_address_prefix       = \"*\"\n  destination_address_prefix  = \"*\"\n  source_port_range           = \"*\"\n  destination_port_range      = \"*\"\n}\n```"
     },
     "Recommendation": {
-      "Text": "Where UDP is not explicitly required and narrowly configured for resources attached tothe Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated. For internal access to relevant resources, configure an encrypted network tunnel such as: ExpressRouteSite-to-site VPN Point-to-site VPN",
-      "Url": "https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices"
+      "Text": "Apply **least privilege** on NSG rules:\n- Deny Internet `UDP` inbound by default\n- Allow only required sources/ports\n- Prefer private access (VNets, private endpoints, VPN/ExpressRoute)\n- Use **defense in depth** with Azure Firewall and DDoS Protection\n- Monitor and disable or rate-limit unnecessary UDP services",
+      "Url": "https://hub.prowler.com/check/network_udp_internet_access_restricted"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "internet-exposed"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/azure/services/network/network_watcher_enabled/network_watcher_enabled.metadata.json

@@ -1,29 +1,37 @@
 {
   "Provider": "azure",
   "CheckID": "network_watcher_enabled",
-  "CheckTitle": "Ensure that Network Watcher is 'Enabled' for all locations in the Azure subscription",
+  "CheckTitle": "Network Watcher is enabled for all locations in the subscription",
   "CheckType": [],
   "ServiceName": "network",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "Network",
-  "Description": "Enable Network Watcher for Azure subscriptions.",
-  "Risk": "Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview",
+  "Severity": "high",
+  "ResourceType": "microsoft.network/networkwatchers",
+  "Description": "**Azure Network Watcher** presence across the subscription's regions. The assessment checks that a Network Watcher instance exists in every subscription location where resources may be deployed.",
+  "Risk": "Absent **Network Watcher** in a region creates blind spots in **network telemetry and diagnostics**, hindering detection of anomalies. Attackers can exploit unnoticed NSG or routing issues for lateral movement or data exfiltration, degrading **confidentiality** and **availability** and slowing incident triage.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-logging-threat-detection#lt-3-enable-logging-for-azure-network-activities",
+    "https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/enable-network-watcher.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Network/enable-network-watcher.html",
-      "Terraform": ""
+      "CLI": "az network watcher configure --resource-group NetworkWatcherRG --enabled true --locations <LOCATION_1> <LOCATION_2>",
+      "NativeIaC": "```bicep\n// Deploy this to the resource group named \"NetworkWatcherRG\"\nparam locations array\n\nresource watchers 'Microsoft.Network/networkWatchers@2023-09-01' = [for loc in locations: {\n  name: 'NetworkWatcher_${loc}'\n  location: loc // CRITICAL: creates a Network Watcher in the specified region\n}]\n```",
+      "Other": "1. In Azure Portal, search for \"Network Watcher\" and open it\n2. Select the target subscription\n3. In Overview, under Regions, for each region with Status = Disabled, click Enable\n4. Confirm all regions show Enabled",
+      "Terraform": "```hcl\nvariable \"locations\" {\n  type = list(string)\n}\n\nresource \"azurerm_network_watcher\" \"watchers\" {\n  for_each           = toset(var.locations)\n  name               = \"NetworkWatcher_${each.value}\"\n  location           = each.value       # CRITICAL: ensures a watcher exists in this region\n  resource_group_name = \"NetworkWatcherRG\" # CRITICAL: place in NetworkWatcherRG as expected by the check\n}\n```"
     },
     "Recommendation": {
-      "Text": "Opting out of Network Watcher automatic enablement is a permanent change. Once you opt-out you cannot opt-in without contacting support.",
-      "Url": "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-logging-threat-detection#lt-3-enable-logging-for-azure-network-activities"
+      "Text": "Enable **Network Watcher** in all regions and keep it enabled as your footprint expands.\n\nApply **defense in depth** by centralizing network logs and analytics, enforce coverage with policy, and restrict tool access by **least privilege**. Align retention and monitoring to support timely detection and investigation.",
+      "Url": "https://hub.prowler.com/check/network_watcher_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": "There are additional costs per transaction to run and store network data. For high-volume networks these charges will add up quickly."