standard
turbot/azure_compliance
- Detect & correct App Service web apps register with active directory disabled
- Detect & correct App Service web apps with authentication disabled
- Detect & correct App Service web apps with FTP deployment enabled
- Detect & correct App Service web apps with remote debugging enabled
- Detect & correct App Service web apps without HTTPS enabled
- Detect & correct App Service web apps without latest HTTP version
- Detect & correct App Service web apps without the latest PHP version
- Detect & correct App Service web apps without the latest python version
- Detect & correct App Service web apps without the latest TLS version
- Detect & correct Compute disks not encrypted with CMK
- Detect & correct Compute disks with data access auth mode disabled
- Detect & correct Compute disks with public access enabled
- Detect & correct unattached Compute disks not encrypted with CMK
- Detect & correct Compute VMs without a managed disk
- Detect & correct Cosmos DB accounts with virtual network filter disabled
- Detect & correct Cosmos DB accounts without a private link
- Detect & correct Authorization policies allowing IAM users to create security group
- Detect & correct authorization policy allowing IAM users to register application
- Detect & correct IAM conditional access with MFA disabled
- Detect & correct IAM conditional access with MFA disabled for administrators
- Detect & correct Subscriptions with custom owner roles
- Detect & correct Key Vaults with logging disabled
- Detect & correct Key Vaults with purge protection disabled
- Detect & correct Key Vaults with RBAC disabled
- Detect & correct Key Vaults without a private link
- Detect & correct Key Vaults with non-RBAC keys without expiration date
- Detect & correct Key Vaults with non-RBAC secrets without expiration date
- Detect & correct Key Vaults with RBAC keys without expiration date
- Detect & correct Key Vaults with RBAC secrets without expiration date
- Detect & correct Storage account containers insights activity logs not encrypted with CMK
- Detect & correct MySQL flexible servers with audit log disabled
- Detect & correct MySQL flexible servers with audit log events not set to connection
- Detect & correct MySQL flexible servers with SSL disabled
- Detect & correct MySQL flexible servers without minimum TLS 1.2
- Detect & correct Network load balancers with basic SKU
- Detect & correct Network public IPs with basic SKU
- Detect & correct NSGs allowing inbound to HTTPS port
- Detect & correct NSGs allowing inbound to RDP port
- Detect & correct NSGs allowing inbound to SSH port
- Detect & correct NSGs allowing inbound to UDP port
- Detect & correct NSGs flow log with retention period less than 90 days
- Detect & correct regions with network watcher disabled
- Detect & correct PostgreSQL flexible servers with log retention less than 3 days
- Detect & correct PostgreSQL flexible servers with connection throttling disabled
- Detect & correct PostgreSQL flexible servers with log checkpoints disabled
- Detect & correct PostgreSQL flexible servers with SSL disabled
- Detect & correct PostgreSQL servers allowing access to Azure services
- Detect & correct PostgreSQL servers with connection throttling disabled
- Detect & correct PostgreSQL servers with infrastructure encryption disabled
- Detect & correct PostgreSQL servers with log checkpoints disabled
- Detect & correct PostgreSQL servers with logging connections disabled
- Detect & correct PostgreSQL servers with logging disconnections disabled
- Detect & correct PostgreSQL servers with logging duration disabled
- Detect & correct PostgreSQL servers with log retention less than 3 days
- Detect & correct PostgreSQL servers with SSL disabled
- Detect & correct Redis Caches with basic SKU
- Detect & correct Security Center settings without MCAS integration
- Detect & correct Security Center settings without WDATP integration
- Detect & correct Security Center auto provisioning settings with automatic provisioning monitoring agent disabled
- Detect & correct Security Centers with azure defender disabled for App Service
- Detect & correct Security Centers with azure defender disabled for Container
- Detect & correct Security Centers with Azure Defender disabled for Container Registry
- Detect & correct Security Centers with Azure Defender disabled for Cosmos DB
- Detect & correct Security Centers with Azure Defender disabled for DNS
- Detect & correct Security Centers with Azure Defender disabled for Key Vault
- Detect & correct Security Centers with Azure Defender disabled for open-source relational database
- Detect & correct Security Centers with Azure Defender disabled for Resource Manager
- Detect & correct Security Centers with Azure Defender disabled for Server
- Detect & correct Security Centers with Azure Defender disabled for SQL Database
- Detect & correct Security Centers with Azure Defender disabled for SQL Server Virtual Machine
- Detect & correct Security Centers with Azure Defender disabled for Storage
- Detect & correct Security Centers with security alerts to owner disabled
- Detect & correct Security Centers without additional email configured
- Detect & correct Security Centers without notify alerts configured
- Detect & correct SQL Databases with public access enabled
- Detect & correct SQL Databases with transparent data encryption disabled
- Detect & correct SQL servers TDE protector not encrypted with CMK
- Detect & correct SQL servers with auditing disabled
- Detect & correct SQL servers with auditing retention period less than 90 days
- Detect & correct SQL servers with public network access enabled
- Detect & correct SQL servers without active directory admin configured
- Detect & correct Storage Accounts with blob public access enabled
- Detect & correct Storage Accounts with blob service logging disabled
- Detect & correct Storage Accounts with blob soft delete disabled
- Detect & correct Storage Accounts with default network access rule set to Allow
- Detect & correct Storage accounts with encryption at rest using CMK disabled
- Detect & correct Storage Accounts with infrastructure encryption disabled
- Detect & correct Storage Accounts with minimum TLS version less than 1.2
- Detect & correct Storage Accounts with public access enabled
- Detect & correct Storage Accounts with queue service logging disabled
- Detect & correct Storage Accounts with secure transfer required disabled
- Detect & correct Storage Accounts with table service logging disabled
- Detect & correct Storage Accounts with trusted Microsoft services access disabled
- Detect & correct Storage Accounts not using private link
- Detect & correct Subscriptions diagnostic settings without capturing proper categories
- Detect & correct Subscriptions without activity log alert for create policy assignment
- Detect & correct Subscriptions without activity log alert for create and update NSG
- Detect & correct Subscriptions without activity log alert for create and update security solution
- Detect & correct Subscriptions without activity log alert for create and update SQL servers firewall rule
- Detect & correct Subscriptions without activity log alert for delete NSG
- Detect & correct Subscriptions without activity log alert for delete policy assignment
- Detect & correct Subscriptions without activity log alert for delete public IP address
- Detect & correct Subscriptions without activity log alert for delete security solution
- Detect & correct Subscriptions without activity log alert for delete SQL servers firewall rule
- Detect & correct Subscriptions without activity log alert for create update public IP address
- Detect & correct Subscriptions without application insight configured
- Detect & correct Subscriptions without network bastion host
- Detect & correct Tenants with guest users
- Detect & correct Tenants with more than five IAM global administrator
Get Involved
Version
Trigger: Detect & correct Subscriptions without activity log alert for create and update security solution
Detect subscriptions without an activity log alert for create and update security solution.
Query
with alert_rule as ( select alert.id as alert_id, alert.name as alert_name, alert.enabled, alert.location, alert.subscription_id, alert.resource_group, alert._ctx ->> 'connection_name' as conn, jsonb_array_length(alert.condition -> 'allOf') from azure_log_alert as alert, jsonb_array_elements_text(scopes) as sc where alert.location = 'Global' and alert.enabled and sc = '/subscriptions/' || alert.subscription_id and ( ( alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' ) or ( alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' and jsonb_array_length(alert.condition -> 'allOf') = 2 ) ) limit 1), resource_group as ( select distinct on (s.subscription_id) r.name, r.subscription_id from azure_subscription as s left join azure_resource_group as r on r.subscription_id = s.subscription_id order by s.subscription_id, r.name)select sub.subscription_id as title, sub._ctx ->> 'connection_name' as connfrom azure_subscription sub left join alert_rule a on sub.subscription_id = a.subscription_id left join resource_group as r on r.subscription_id = sub.subscription_idgroup by sub.subscription_id, sub.display_name, sub._ctx, a.alert_id, a.alert_name, a.resource_group, a.subscription_id, a.conn, r.namehaving not(count(a.subscription_id) > 0);
Schedule
15m
Tags
category = Compliance
plugin = azure
service = Azure/Monitor