Microsoft implements this Configuration Management control
Name/Id: ACF1219 / Microsoft Managed Control 1219 Category: Configuration Management Title: Least Functionality | Authorized Software / Whitelisting - Identification Ownership: Customer, Microsoft Description: The organization: Identifies Software programs authorized to execute on the information system as defined in baselines and configuration scripts; Requirements: Azure identifies software authorized to execute within Azure via configuration baselines and configuration scripts. Both baselines and scripts are version controlled and under configuration management. Only software included in a baseline or configuration script may be installed on Azure. Azure uses Azure Security Monitoring (ASM) and SCUBA to identify unauthorized software execution and alert appropriate personnel for further review.
In addition to the standard release processes as part of OneBranch processes which includes build release verification steps such as virus scanning, services running AzSecPack are monitored by the Azure System Lockdown (AzSysLock) team for unexpected running software. This is defined as any software that is not signed per the appropriate signing certificates. AzSysLock sends alerts for service teams that are not properly using AppLocker and Code Integrity. Additionally, for services running with AzSysLock in enforcement mode, which is currently an opt-in feature of AzSecPack, the binary does not run if it is not signed. Alerts for unsigned binaries running are created to service owners as a Severity 2 incident per Azure CEN.
For services running Azure Security Pack, the OS security configuration baseline is also monitored for baseline violations, which are then reported to service owners through Incident Management (IcM) and/or Service 360 (S360) depending on the severity of the violation. Near real-time alerts include alerts for audit processing failures, such as system time changes or audit policy changes.
Additionally, virtual components within Azure are managed by the Fabric Controller (FC), which is the component that is used to create, monitor, restart, and destroy virtual machines. Overall VM and Azure Host/Native management coverage of AzSecPack is maintained by AzSecPack.
Rule resource types
IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups