Category | Id | DisplayName | Description | Effect | Roles used | Subject | Change | Date (UTC ymd) (i) | Type |
---|---|---|---|---|---|---|---|---|---|
Security Center | f08f556c-12ff-464d-a7de-40cb5b6cccec | Configure ChangeTracking Extension for Windows virtual machines | Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, old suffix: preview (2.0.0-preview > 2.1.0) | 2024-11-01 18:49:23 | BuiltIn |
ChangeTrackingAndInventory | bef2d677-e829-492d-9a3d-f5a20fda818f | Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, old suffix: preview (1.0.0-preview > 1.1.0) | 2024-11-01 18:49:23 | BuiltIn |
ChangeTrackingAndInventory | ad1eeff9-20d7-4c82-a04e-903acab0bfc1 | Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, old suffix: preview (1.1.0-preview > 1.2.0) | 2024-11-01 18:49:23 | BuiltIn |
ChangeTrackingAndInventory | b6faa975-0add-4f35-8d1c-70bba45c4424 | Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, old suffix: preview (1.0.0-preview > 1.1.0) | 2024-11-01 18:49:23 | BuiltIn |
ChangeTrackingAndInventory | 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 | Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, old suffix: preview (1.5.0-preview > 1.6.0) | 2024-11-01 18:49:23 | BuiltIn |
Security Center | ec88097d-843f-4a92-8471-78016d337ba4 | Configure ChangeTracking Extension for Linux virtual machines | Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, old suffix: preview (2.0.0-preview > 2.1.0) | 2024-11-01 18:49:23 | BuiltIn |
ChangeTrackingAndInventory | ef9fe2ce-a588-4edd-829c-6247069dcfdb | Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, old suffix: preview (1.0.0-preview > 1.1.0) | 2024-10-31 18:50:28 | BuiltIn |
ChangeTrackingAndInventory | a7acfae7-9497-4a3f-a3b5-a16a50abbe2f | Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, old suffix: preview (1.0.0-preview > 1.1.0) | 2024-10-31 18:50:28 | BuiltIn |
Security Center | 1e378679-f122-4a96-a739-a7729c46e1aa | [Deprecated]: Cloud Services (extended support) role instances should have an endpoint protection solution installed | Protect your Cloud Services (extended support) role instances from threats and vulnerabilities by ensuring an endpoint protection solution is installed on them. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2024-10-31 18:50:28 | BuiltIn | |
Security Center | 10caed8a-652c-4d1d-84e4-2805b7c07278 | Configure ChangeTracking Extension for Linux Arc machines | Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, old suffix: preview (2.0.0-preview > 2.1.0) | 2024-10-31 18:50:28 | BuiltIn |
Security Center | 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 | [Deprecated]: Endpoint protection health issues should be resolved on your machines | Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2024-10-31 18:50:28 | BuiltIn | |
Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.7.0 > 1.8.0) | 2024-10-31 18:50:28 | BuiltIn |
Security Center | 4bb303db-d051-4099-95d2-e3e1428a4cd5 | Configure ChangeTracking Extension for Windows Arc machines | Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, old suffix: preview (2.0.0-preview > 2.1.0) | 2024-10-31 18:50:28 | BuiltIn |
ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5187 | Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor, old suffix: preview (1.3.0-preview > 1.4.0) | 2024-10-31 18:50:28 | BuiltIn |
Security Center | 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 | [Deprecated]: Endpoint protection should be installed on your machines | To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2024-10-31 18:50:28 | BuiltIn | |
ChangeTrackingAndInventory | 09a1f130-7697-42bc-8d84-8a9ea17e5192 | Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory | Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor, old suffix: preview (1.0.0-preview > 1.1.0) | 2024-10-31 18:50:28 | BuiltIn |
Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.8.0 > 1.9.0) | 2024-10-31 18:50:28 | BuiltIn |
Security Center | af6cd1bd-1635-48cb-bde7-5b15693900b9 | [Deprecated]: Monitor missing Endpoint Protection in Azure Security Center | Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) | 2024-10-31 18:50:28 | BuiltIn | |
Security Center | 26a828e1-e88f-464e-bbb3-c134a282b9de | [Deprecated]: Endpoint protection solution should be installed on virtual machine scale sets | Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) | 2024-10-31 18:50:28 | BuiltIn | |
Compute | ac34a73f-9fa5-4067-9247-a3ecae514468 | Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Patch (2.1.0 > 2.1.1) | 2024-10-30 18:57:40 | BuiltIn |
App Service | 014664e7-e348-41a3-aeb9-566e4ff6a9df | Configure App Service app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-10-25 17:51:35 | BuiltIn |
Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.3.0 > 9.4.0) | 2024-10-25 17:51:35 | BuiltIn |
App Service | fa3a6357-c6d6-4120-8429-855577ec0063 | Configure Function app slots to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-10-25 17:51:35 | BuiltIn |
Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.3.0 > 9.4.0) | 2024-10-25 17:51:35 | BuiltIn |
Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.3.0 > 9.4.0) | 2024-10-25 17:51:35 | BuiltIn |
App Service | 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 | Configure Function apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2024-10-25 17:51:35 | BuiltIn |
Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.3.0 > 9.4.0) | 2024-10-25 17:51:35 | BuiltIn |
App Service | deb528de-8f89-4101-881c-595899253102 | Function app slots should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2024-10-25 17:51:35 | BuiltIn | |
App Service | f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b | App Service apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2024-10-25 17:51:35 | BuiltIn | |
App Service | f9d614c5-c173-4d56-95a7-b4437057d193 | Function apps should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2024-10-25 17:51:35 | BuiltIn | |
App Service | 4ee5b817-627a-435a-8932-116193268172 | App Service app slots should use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2024-10-25 17:51:35 | BuiltIn | |
App Service | ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d | Configure App Service apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
change |
Minor (1.0.1 > 1.1.0) | 2024-10-25 17:51:35 | BuiltIn |
PostgreSQL | 1d14b021-1bae-4f93-b36b-69695e14984a | Disconnections should be logged for PostgreSQL flexible servers | This policy helps audit any PostgreSQL flexible servers in your environment without log_disconnections enabled. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2024-10-21 17:52:17 | BuiltIn | |
PostgreSQL | a43d5475-c569-45ce-a268-28fa79f4e87a | PostgreSQL flexible servers should be running TLS version 1.2 or newer | This policy helps audit any PostgreSQL flexible servers in your environment which is running with TLS version less than 1.2. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2024-10-21 17:52:17 | BuiltIn | |
Kubernetes | d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d | [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets | Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2024-10-21 17:52:17 | BuiltIn | |
Azure Update Manager | bfea026e-043f-4ff4-9d1b-bf301ca7ff46 | Configure periodic checking for missing system updates on azure Arc-enabled servers | Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.2.1 > 2.3.0) | 2024-10-15 17:53:32 | BuiltIn |
Guest Configuration | e22a2f03-0534-4d10-8ea0-aa25a6113233 | Configure SSH security posture for Linux (powered by OSConfig) | This policy audits and configures SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2024-10-15 17:53:32 | BuiltIn |
Machine Learning | 12e5dd16-d201-47ff-849b-8454061c293d | [Preview]: Azure Machine Learning Deployments should only use approved Registry Models | Restrict the deployment of Registry models to control externally created models used within your organization | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-10-15 17:53:32 | BuiltIn | |
Guest Configuration | a8f3e6a6-dcd2-434c-b0f7-6f309ce913b4 | Audit SSH security posture for Linux (powered by OSConfig) | This policy audits SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2024-10-15 17:53:32 | BuiltIn | |
SQL | Deploy-SqlMi-minTLS | SQL managed instances deploy a specific min TLS version requirement. | Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Managed Instance Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2024-10-10 01:17:21 | ALZ |
SQL | Deploy-MySQL-sslEnforcement | Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. | Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-10-10 01:17:21 | ALZ |
SQL | Deploy-SQL-minTLS | SQL servers deploys a specific min TLS version requirement. | Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •SQL Server Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-10-10 01:17:21 | ALZ |
Cache | Append-Redis-sslEnforcement | Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. | Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default Append Allowed Append, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2024-10-10 01:17:21 | ALZ | |
SQL | Deny-SqlMi-minTLS | SQL Managed Instance should have the minimal TLS version set to the highest version | Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. | Default Audit Allowed Audit, Disabled, Deny |
change |
Minor (1.0.0 > 1.1.0) | 2024-10-10 01:17:21 | ALZ | |
Network | Deny-VNET-Peer-Cross-Sub | Deny vNet peering cross subscription. | This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope. | Default Deny Allowed Audit, Deny, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2024-10-10 01:17:21 | ALZ | |
Networking | Deploy-Private-DNS-Generic | Deploy-Private-DNS-Generic | Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
change |
Major (1.0.0 > 2.0.0) | 2024-10-10 01:17:21 | ALZ |
Storage | Deploy-Storage-sslEnforcement | Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS | Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Storage Account Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2024-10-10 01:17:21 | ALZ |
Cache | Deny-Redis-http | Azure Cache for Redis only secure connections should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Default Deny Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2024-10-10 01:17:21 | ALZ | |
SQL | Deny-Sql-minTLS | Azure SQL Database should have the minimal TLS version set to the highest version | Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. | Default Audit Allowed Audit, Disabled, Deny |
change |
Minor (1.0.0 > 1.1.0) | 2024-10-10 01:17:21 | ALZ | |
SQL | Deploy-PostgreSQL-sslEnforcement | Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL | Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-10-10 01:17:21 | ALZ |
App Service | Append-AppService-latestTLS | AppService append sites with minimum TLS version to enforce. | Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. | Default Append Allowed Append, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2024-10-10 01:17:21 | ALZ | |
SQL | Deny-MySql-http | MySQL database servers enforce SSL connections. | Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Default Deny Allowed Audit, Disabled, Deny |
change |
Minor (1.0.0 > 1.1.0) | 2024-10-10 01:17:21 | ALZ | |
Event Hub | Deny-EH-minTLS | Event Hub namespaces should use a valid TLS version | Event Hub namespaces should use a valid TLS version. | Default Deny Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2024-10-10 01:17:21 | ALZ | |
Security Center | 123a3936-f020-408a-ba0c-47873faf1534 | [Deprecated]: Allowlist rules in your adaptive application control policy should be updated | Monitor changes in behavior on machines audited by Azure Security Center's adaptive application controls. Security Center uses machine learning to suggest known-safe applications as recommended apps. This policy is deprecated due to the deprecation of the Azure Monitoring agent. Learn more at aka.ms/policydefdeprecation. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) | 2024-10-07 17:51:17 | BuiltIn | |
Security Center | 475aae12-b88a-4572-8b36-9b712b2b3a17 | [Deprecated]: Auto provisioning of the Log Analytics agent should be enabled on your subscription | Azure Security Center collects VM data using the Log Analytics agent for security monitoring. Enable auto provisioning for automatic deployment. This policy is deprecated due to the Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.0.1 > 1.1.0-deprecated) | 2024-10-07 17:51:17 | BuiltIn | |
Security Center | 86b3d65f-7626-441e-b690-81a8b71cff60 | [Deprecated]: System updates should be installed on your machines | Missing security system updates on your servers will be monitored by Azure Security Center as recommendations | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (4.0.0 > 4.1.0-deprecated) | 2024-10-07 17:51:17 | BuiltIn | |
App Configuration | d242c24b-bac7-439e-8af7-22d7dcfd3c4f | App Configuration should use geo-replication | Use the geo-replication feature to create replicas in other locations of your current configuration store for enhanced resiliency and availability. Additionally, having multi-region replicas lets you better distribute load, lower latency, protect against datacenter outages, and compartmentalize globally distributed workloads. Learn more at: https://aka.ms/appconfig/geo-replication. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-10-07 17:51:17 | BuiltIn | |
Security Center | 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 | [Deprecated]: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated | Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks, This policy is deprecated because it depends on the Azure Monitoring agent, which has also been deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) | 2024-10-07 17:51:17 | BuiltIn | |
Container Apps | d074ddf8-01a5-4b5e-a2b8-964aed452c0a | Container Apps environment should disable public network access | Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2024-10-07 17:51:17 | BuiltIn | |
Security Center | 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 | [Deprecated]: Adaptive network hardening recommendations should be applied on internet facing virtual machines | Azure Security Center recommends NSG rules for Internet-facing VMs. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) | 2024-10-07 17:51:17 | BuiltIn | |
Security Center | c3f317a7-a95c-4547-b7e7-11017ebdf2fe | [Deprecated]: System updates on virtual machine scale sets should be installed | Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) | 2024-10-07 17:51:17 | BuiltIn | |
Security Center | 47a6b606-51aa-4496-8bb7-64b11cf66adc | [Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines | Enable application controls to define safe applications and get alerts for others, enhancing security. This policy is deprecated due to the Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) | 2024-10-07 17:51:17 | BuiltIn | |
Security Center | e8cbc669-f12d-49eb-93e7-9273119e9933 | [Deprecated]: Vulnerabilities in container security configurations should be remediated | Audit Docker security vulnerabilities and display recommendations in Azure Security Center. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) | 2024-10-07 17:51:17 | BuiltIn | |
Cache | 1b1df1e6-d60f-4430-9390-2b0c83aae4a7 | Configure Azure Cache for Redis Enterprise with private endpoints | Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-09-27 17:51:42 | BuiltIn |
Kubernetes | 65280eef-c8b4-425e-9aec-af55e55bf581 | Kubernetes cluster should not use naked pods | Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.2.0 > 2.3.0) | 2024-09-24 17:50:47 | BuiltIn | |
Kubernetes | 53a4a537-990c-495a-92e0-7c21a465442c | [Preview]: Cannot Edit Individual Nodes | Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) | 2024-09-24 17:50:47 | BuiltIn | |
Machine Learning | ba769a63-b8cc-4b2d-abf6-ac33c7204be8 | Azure Machine Learning workspaces should be encrypted with a customer-managed key | Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.3 > 1.1.0) | 2024-09-18 17:50:24 | BuiltIn | |
Security Center | 242300d6-1bfc-4d64-8d01-cee583709ebd | Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.3.0 > 1.4.0) | 2024-09-10 17:48:30 | BuiltIn |
Health Deidentification Service | d9b2d63d-a233-4123-847a-7f7e5f5d7e7a | Azure Health Data Services de-identification service should use private link | Azure Health Data Services de-identification service should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-09-10 17:48:30 | BuiltIn | |
Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.6.0 > 1.7.0) | 2024-09-10 17:48:30 | BuiltIn |
Security Center | 09963c90-6ee7-4215-8d26-1cc660a1682f | Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.6.0 > 1.7.0) | 2024-09-10 17:48:30 | BuiltIn |
Security Center | f91991d1-5383-4c95-8ee5-5ac423dd8bb1 | Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.4.0 > 1.5.0) | 2024-09-10 17:48:30 | BuiltIn |
Security Center | ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.4.0 > 1.5.0) | 2024-09-10 17:48:30 | BuiltIn |
Health Deidentification Service | c5f34731-7ab9-42ff-922d-ef4920068b74 | Azure Health Data Services de-identification service should disable public network access | Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-09-10 17:48:30 | BuiltIn | |
Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Defender Kubernetes Agent Operator •Kubernetes Agent Operator |
change |
Minor, suffix remains equal (7.2.0-preview > 7.3.0-preview) | 2024-09-10 17:48:30 | BuiltIn |
Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.7.0 > 1.8.0) | 2024-09-10 17:48:30 | BuiltIn |
Security Center | 359a48a3-351a-4618-bb32-f1628645694b | Configure Microsoft Defender threat protection for AI workloads | New capabilities are continuously being added to threat protection for AI workloads, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2024-09-02 17:49:45 | BuiltIn |
Kubernetes | e1352e44-d34d-4e4d-a22e-451a15f759a1 | Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster | Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected. Learn more at: https://aka.ms/aks/planned-maintenance | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-09-02 17:49:45 | BuiltIn |
Kubernetes | fed6510d-00b9-40db-a347-933125a6a327 | [Preview]: Prevents init containers from being ran as root by setting runAsNotRoot to true. | Setting runAsNotRoot to true increases security by preventing containers from being ran as root. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-08-26 18:17:33 | BuiltIn | |
Kubernetes | 2fe7ba7d-f670-41f5-8b70-b61dc7dfbe18 | [Preview]: Prevents containers from being ran as root by setting runAsNotRoot to true. | Setting runAsNotRoot to true increases security by preventing containers from being ran as root. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-08-26 18:17:33 | BuiltIn | |
Cache | 1b1df1e6-d60f-4430-9390-2b0c83aae4a7 | Configure Azure Cache for Redis Enterprise with private endpoints | Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2024-08-20 18:21:51 | BuiltIn |
Cache | 09aa11bb-87ec-409f-bf0b-49b7c1561a87 | Azure Cache for Redis Enterprise should use customer-managed keys for encrypting disk data | Use customer-managed keys (CMK) to manage the encryption at rest of your on-disk data. By default, customer data is encrypted with platform-managed keys (PMK), but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/RedisCMK. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-08-20 18:21:51 | BuiltIn | |
Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Defender Kubernetes Agent Operator •Kubernetes Agent Operator |
change |
Minor (4.2.0 > 4.3.0) | 2024-08-20 18:21:51 | BuiltIn |
Cache | 7473e756-98d9-4d10-9a22-8101ef32cd74 | Configure Azure Cache for Redis Enterprise to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis Enterprise. Learn more at: https://aka.ms/privatednszone. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2024-08-20 18:21:51 | BuiltIn |
Kubernetes | 708b60a6-d253-4fe0-9114-4be4c00f012c | [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Defender Kubernetes Agent Operator •Kubernetes Agent Operator |
change |
Minor, suffix remains equal (7.1.0-preview > 7.2.0-preview) | 2024-08-20 18:21:51 | BuiltIn |
Cache | 960e650e-9ce3-4316-9590-8ee2c016ca2f | Azure Cache for Redis Enterprise should use private link | Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-08-20 18:21:51 | BuiltIn | |
Regulatory Compliance | 9e1a2a94-cf7e-47de-b28e-d445ecc63902 | Set file integrity rules in your organization | CMA_M1000 - Set file integrity rules in your organization | Default Manual Allowed Manual, Disabled |
add |
new Policy | 2024-08-20 18:21:51 | BuiltIn | |
Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (4.4.0 > 4.4.1) | 2024-08-20 18:21:51 | BuiltIn |
Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (3.3.0 > 3.3.1) | 2024-08-20 18:21:51 | BuiltIn |
Security Center | f85bf3e0-d513-442e-89c3-1784ad63382b | System updates should be installed on your machines (powered by Update Center) | Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2024-08-20 18:21:51 | BuiltIn | |
Monitoring | d5c37ce1-5f52-4523-b949-f19bf945b73a | Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (2.2.0 > 2.2.1) | 2024-08-20 18:21:51 | BuiltIn |
Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (3.3.0 > 3.3.1) | 2024-08-20 18:21:51 | BuiltIn |
Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (4.4.0 > 4.4.1) | 2024-08-20 18:21:51 | BuiltIn |
Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (6.5.0 > 6.5.1) | 2024-08-20 18:21:51 | BuiltIn |
Monitoring | c24c537f-2516-4c2f-aac5-2cd26baa3d26 | Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (2.2.0 > 2.2.1) | 2024-08-20 18:21:51 | BuiltIn |
Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Patch (4.5.0 > 4.5.1) | 2024-08-20 18:21:51 | BuiltIn |
Kubernetes | 16697877-1118-4fb1-9b65-9898ec2509ec | Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.1.1 > 5.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | df49d893-a74c-421d-bc95-c663042e5b80 | Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.2.0 > 6.3.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf | [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. | Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | e345eecc-fa47-480f-9e88-67dcc122b164 | Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (9.2.0 > 9.3.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 9f061a12-e40d-4183-a00e-171812443373 | Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.1.0 > 4.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 021f8078-41a0-40e6-81b6-c6597da9f3ee | [Preview]: Kubernetes cluster container images should not include latest image tag | Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 | [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present | Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 | Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.1.0 > 7.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | a3dc4946-dba6-43e6-950d-f96532848c9f | Kubernetes clusters should ensure that the cluster-admin role is only used where required | The role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed. | Default Audit Allowed Audit, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 511f5417-5d12-434d-ab2e-816901e72a5e | Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.1.1 > 6.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | f85eb0dd-92ee-40e9-8a76-db25a507d6d3 | Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (8.1.1 > 8.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 1a3b9003-eac6-4d39-a184-4a567ace7645 | [Preview]: Kubernetes cluster container images must include the preStop hook | Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 | Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.2.0 > 2.3.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 | Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.1.0 > 2.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 50c83470-d2f0-4dda-a716-1938a4825f62 | Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 975ce327-682c-4f2e-aa46-b9598289b86c | Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.1.1 > 7.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | ca8d5704-aa2b-40cf-b110-dc19052825ad | Kubernetes clusters should minimize wildcard use in role and cluster role | Using wildcards '*' can be a security risk because it grants broad permissions that may not be necessary for a specific role. If a role has too many permissions, it could potentially be abused by an attacker or compromised user to gain unauthorized access to resources in the cluster. | Default Audit Allowed Audit, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 098fc59e-46c7-4d99-9b16-64990e543d75 | Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.1.1 > 6.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d | [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets | Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | f06ddb64-5fa3-4b77-b166-acb36f7f6042 | Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.1.1 > 6.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 | [Preview]: Must Have Anti Affinity Rules Set | This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 57dde185-5c62-4063-b965-afbb201e9c1c | Kubernetes cluster Windows containers should only run with approved user and domain user group | Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.1.0 > 2.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8 | [Preview]: Sets Privilege escalation in the Pod spec in init containers to false. | Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | d77f191e-2338-45d0-b6d4-4ee1c586a192 | [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources | Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | e16d171b-bfe5-4d79-a525-19736b396e92 | [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. | To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 82985f06-dc18-4a48-bc1c-b9f4f0098cfe | Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.1.0 > 6.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | e24df237-32cb-4a6c-a2f6-85b499cda9f2 | [Preview]: Prints a message if a mutation is applied | Looks up the mutation annotations applied and prints a message if annotation exists. | Default Audit Allowed Audit, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | c812272d-7488-495f-a505-047d34b83f58 | [Preview]: Mutate K8s Init Container to drop all capabilities | Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux init containers | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 65280eef-c8b4-425e-9aec-af55e55bf581 | Kubernetes cluster should not use naked pods | Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.1.0 > 2.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (8.1.0 > 8.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 6f87d474-38a9-46c9-bdfe-d7fa3b9836bf | [Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present. | Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | c873b3ba-c605-42e4-a64b-a142a93826fc | [Preview]: Mutate K8s Container to drop all capabilities | Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux containers | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 95edb821-ddaf-4404-9732-666045e056b4 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (9.1.0 > 9.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | e1e6c427-07d9-46ab-9689-bfa85431e636 | Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.1.1 > 7.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | febd0533-8e55-448f-b837-bd0e06f16469 | Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (9.2.0 > 9.3.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 6bcd4321-fb89-4e3e-bf6c-999c13d47f43 | [Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present. | Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | a27c700f-8a22-44ec-961c-41625264370b | Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.1.0 > 5.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 5485eac0-7e8f-4964-998b-a44f4f0c1e75 | Kubernetes cluster Windows containers should not run as ContainerAdministrator | Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 56d0a13f-712f-466b-8416-56fb354fb823 | Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.1.1 > 7.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | d77df159-718b-4aca-b94b-8e8890a98231 | [Preview]: Sets Privilege escalation in the Pod spec to false. | Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 | Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.1.0 > 5.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Network | fe8a9af4-a003-4c7d-b7a4-b9808310c4f8 | Public IPs and Public IP prefixes should have FirstPartyUsage tag | Ensure all Public IP addresses and Public IP Prefixes have a FirstPartyUsage tag. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 53a4a537-990c-495a-92e0-7c21a465442c | [Preview]: Cannot Edit Individual Nodes | Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 | Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 077f0ce1-86d6-4058-bc60-de05067e8622 | Kubernetes cluster Windows pods should not run HostProcess containers | Prevent prviledged access to the windows node. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 8e875f96-2c56-40ca-86db-b9f6a0be7347 | [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. | Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | b81f454c-eebb-4e4f-9dfe-dca060e8a8fd | [Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (2.2.0-preview > 2.3.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 423dd1ba-798e-40e4-9c4d-b6902674b423 | Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (4.1.0 > 4.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 | Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.1.1 > 5.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | b1a9997f-2883-4f12-bdff-2280f99b5915 | Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.2.0 > 3.3.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 48940d92-ff05-449e-9111-e742d9280451 | [Preview]: Reserved System Pool Taints | Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 233a2a17-77ca-4fb1-9b6b-69223d272a44 | Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (8.1.0 > 8.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | cf426bb8-b320-4321-8545-1b784a5df3a4 | [Image Integrity] Kubernetes clusters should only use images signed by notation | Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit https://aka.ms/aks/image-integrity | Default Audit Allowed Audit, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | d46c275d-1680-448d-b2ec-e495a3b6cc89 | Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (5.1.0 > 5.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 | [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. | Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | a22123bd-b9da-4c86-9424-24903e91fd55 | [Preview]: No AKS Specific Labels | Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e | Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (8.1.0 > 8.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Azure Load Testing | d855fd7a-9be5-4d84-8b75-28d41aadc158 | [Preview]: Load tests using Azure Load Testing should be run only against private endpoints from within a virtual network. | Azure Load Testing engine instances should use virtual network injection for the following purposes: 1. Isolate Azure Load Testing engines to a virtual network. 2. Enable Azure Load Testing engines to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Load Testing engines. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 | [Preview]: Kubernetes cluster services should use unique selectors | Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 57f274ef-580a-4ed2-bcf8-5c6fa3775253 | [Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false. | Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 | [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. | Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 9a5f4e39-e427-4d5d-ae73-93db00328bec | Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 | Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Deny Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (7.1.0 > 7.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Kubernetes | c26596ff-4d70-4e6a-9a30-c2506bd2f80c | Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Default Audit Allowed audit, Audit, deny, Deny, disabled, Disabled |
change |
Minor (6.1.0 > 6.2.0) | 2024-08-09 18:17:47 | BuiltIn | |
Cache | 3827af20-8f80-4b15-8300-6db0873ec901 | Azure Cache for Redis should not use access keys for authentication | Not using local authentication methods like access keys and using more secure alternatives like Microsoft Entra ID (recommended) improves security for your Azure Cache for Redis. Learn more at aka.ms/redis/disableAccessKeyAuthentication | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-08-05 18:24:24 | BuiltIn | |
Security Center | 7e92882a-2f8a-4991-9bc4-d3147d40abb0 | Enable threat protection for AI workloads | Microsoft threat protection for AI workloads provides contextualized, evidence-based security alerts aimed at protecting home grown Generative AI powered applications | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
add |
new Policy | 2024-08-05 18:24:24 | BuiltIn |
Cognitive Services | 67121cc7-ff39-4ab8-b7e3-95b84dab487d | Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) | Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.1.0 > 2.2.0) | 2024-08-05 18:24:24 | BuiltIn | |
Monitoring | 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 | Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.2.2 > 1.3.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 | Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Fixed deployIfNotExists |
count: 001 •Virtual Machine Contributor |
change |
Minor (5.0.0 > 5.1.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | 32ade945-311e-4249-b8a4-a549924234d7 | Linux virtual machine scale sets should have Azure Monitor Agent installed | Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.2.0 > 3.3.0) | 2024-07-30 18:18:24 | BuiltIn | |
Monitoring | 1c210e94-a481-4beb-95fa-1571b434fb04 | Deploy - Configure Dependency agent to be enabled on Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2024-07-30 18:18:24 | BuiltIn |
Security Center | 3bc8a0d5-38e0-4a3d-a657-2cb64468fc34 | Azure Defender for SQL should be enabled for unprotected MySQL flexible servers | Audit MySQL flexible servers without Advanced Data Security | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-07-30 18:18:24 | BuiltIn | |
Monitoring | af0082fd-fa58-4349-b916-b0e47abb0935 | Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.2.2 > 1.3.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee | Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | Fixed deployIfNotExists |
count: 001 •Log Analytics Contributor |
change |
Minor (5.0.0 > 5.1.0) | 2024-07-30 18:18:24 | BuiltIn |
PostgreSQL | 12c74c95-0efd-48da-b8d9-2a7d68470c92 | PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2024-07-30 18:18:24 | BuiltIn | |
Monitoring | 84cfed75-dfd4-421b-93df-725b479d356a | Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.1.2 > 1.2.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.5.0 > 3.6.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.1.1 > 3.2.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.5.0 > 3.6.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.3.0 > 4.4.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 | Configure Dependency agent on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.7.0 > 3.8.0) | 2024-07-30 18:18:24 | BuiltIn |
Network | 7bca8353-aa3b-429b-904a-9229c4385837 | Subnets should be private | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-07-30 18:18:24 | BuiltIn | |
Monitoring | 3be22e3b-d919-47aa-805e-8985dbeb0ad9 | Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.1.0 > 3.2.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.3.0 > 4.4.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | d55b81e1-984f-4a96-acab-fae204e3ca7f | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (3.1.1 > 3.2.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | 1afdc4b6-581a-45fb-b630-f1e6051e3e7a | Linux virtual machines should have Azure Monitor Agent installed | Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.2.0 > 3.3.0) | 2024-07-30 18:18:24 | BuiltIn | |
Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.7.0 > 3.8.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (6.4.0 > 6.5.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | deacecc0-9f84-44d2-bb82-46f32d766d43 | Configure Dependency agent on Azure Arc enabled Linux servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (2.0.0 > 2.1.0) | 2024-07-30 18:18:24 | BuiltIn |
Monitoring | 08a4470f-b26d-428d-97f4-7e3e9c92b366 | Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.1.2 > 1.2.0) | 2024-07-30 18:18:24 | BuiltIn |
Security Center | cfdc5972-75b3-4418-8ae1-7f5c36839390 | Configure Microsoft Defender for Storage to be enabled | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Minor (1.3.0 > 1.4.0) | 2024-07-17 18:20:29 | BuiltIn |
Azure Ai Services | d6759c02-b87f-42b7-892e-71b3f471d782 | Azure AI Services resources should use Azure Private Link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform reduces data leakage risks by handling the connectivity between the consumer and services over the Azure backbone network. Learn more about private links at: https://aka.ms/AzurePrivateLink/Overview | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-07-17 18:20:29 | BuiltIn | |
Cognitive Services | cddd188c-4b82-4c48-a19d-ddf74ee66a01 | [Deprecated]: Cognitive Services should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. | Default Audit Allowed Audit, Disabled |
change |
Patch, new suffix: deprecated (3.0.0 > 3.0.1-deprecated) | 2024-07-17 18:20:29 | BuiltIn | |
Search | 0fda3595-9f2b-4592-8675-4231d6fa82fe | [Deprecated]: Azure Cognitive Search services should use private link | Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. | Default Audit Allowed Audit, Disabled |
change |
Patch, new suffix: deprecated (1.0.0 > 1.0.1-deprecated) | 2024-07-17 18:20:29 | BuiltIn | |
Monitoring | 98569e20-8f32-4f31-bf34-0e91590ae9d3 | Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.5.0 > 1.6.0) | 2024-07-17 18:20:29 | BuiltIn |
Monitoring | 637125fd-7c39-4b94-bb0a-d331faf333a9 | Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.5.0 > 1.6.0) | 2024-07-17 18:20:29 | BuiltIn |
Kubernetes | c873b3ba-c605-42e4-a64b-a142a93826fc | [Preview]: Mutate K8s Container to drop all capabilities | Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux containers | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-07-15 18:22:44 | BuiltIn | |
Kubernetes | c812272d-7488-495f-a505-047d34b83f58 | [Preview]: Mutate K8s Init Container to drop all capabilities | Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux init containers | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-07-15 18:22:44 | BuiltIn | |
Compute | 7c1b1214-f927-48bf-8882-84f0af6588b1 | [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) | 2024-07-09 18:20:14 | BuiltIn | |
Kubernetes | 57f274ef-580a-4ed2-bcf8-5c6fa3775253 | [Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false. | Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Guest Configuration | 4078e558-bda6-41fb-9b3c-361e8875200d | [Deprecated]: Windows machines should have Log Analytics agent installed on Azure Arc | Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (2.0.0 > 2.1.0-deprecated) | 2024-07-09 18:20:14 | BuiltIn | |
Network | 72923a3a-e567-46d3-b3f9-ffb2462a1c3a | Virtual Hubs should be protected with Azure Firewall | Deploy an Azure Firewall to your Virtual Hubs to protect and granularly control internet egress and ingress traffic. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Network | 7c591a93-c34c-464c-94ac-8f9f9a46e3d6 | Azure Firewall Standard - Classic Rules should enable Threat Intelligence | Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Security Center | a3a6ea0c-e018-4933-9ef0-5aaa1501449b | [Deprecated]: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring | Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2024-07-09 18:20:14 | BuiltIn | |
Guest Configuration | 1e7fed80-8321-4605-b42c-65fc300f23a3 | [Deprecated]: Linux machines should have Log Analytics agent installed on Azure Arc | Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.1.0 > 1.2.0-deprecated) | 2024-07-09 18:20:14 | BuiltIn | |
Kubernetes | 6f87d474-38a9-46c9-bdfe-d7fa3b9836bf | [Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present. | Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Security Center | a4fe33eb-e377-4efb-ab31-0784311bc499 | [Deprecated]: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring | This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2024-07-09 18:20:14 | BuiltIn | |
Network | 3f84c9b0-8b64-4208-98d4-6ada96bb49c3 | Azure Firewall Policy should have DNS Proxy Enabled | Enabling DNS Proxy will make the Azure Firewall associated with this policy to listen on port 53 and forward the DNS requests to specified DNS server | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Network | 8c19196d-7fd7-45b2-a9b4-7288f47c769a | Azure Firewall Standard should be upgraded to Premium for next generation protection | If you are looking for next generation protection like IDPS and TLS inspection, you should consider upgrading your Azure Firewall to Premium sku. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Network | 3e1f521a-d037-4709-bdd6-1f532f271a75 | Azure Firewall should be deployed to span multiple Availability Zones | For increased availability we recommend deploying your Azure Firewall to span multiple Availability Zones. This ensures that your Azure Firewall will remain available in the event of a zone failure. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Network | 794d77cc-fe65-4801-8514-230c0be387a8 | Azure Firewall Classic Rules should be migrated to Firewall Policy | Migrate from Azure Firewall Classic Rules to Firewall Policy to utilize central management tools such as Azure Firewall Manager. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Kubernetes | 97de439f-fd35-4d43-a693-3644f51a51fd | [Preview]: Sets Kubernetes cluster init containers securityContext.runAsUser fields to 1000, a non-root user id | Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Kubernetes | a8e3ce3c-cac3-4402-a28a-03ee3ede9790 | [Preview]: Sets Kubernetes cluster container securityContext.runAsUser fields to 1000, a non-root user id | Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Kubernetes | 4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8 | [Preview]: Sets Privilege escalation in the Pod spec in init containers to false. | Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Network | dfb5ac92-ce74-4dbc-81fa-87243e62d5d3 | Azure Firewall Policy Analytics should be Enabled | Enabling Policy Analytics provides enhanced visibility into traffic flowing through Azure Firewall, enabling the optimization of your firewall configuration without impacting your application performance | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Kubernetes | fe74a23d-79e4-401c-bd0d-fd7a5b35af32 | [Preview]: Sets Kubernetes cluster Pod securityContext.runAsUser fields to 1000, a non-root user id | Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Network | da79a7e2-8aa1-45ed-af81-ba050c153564 | Azure Firewall Policy should enable Threat Intelligence | Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Kubernetes | e24df237-32cb-4a6c-a2f6-85b499cda9f2 | [Preview]: Prints a message if a mutation is applied | Looks up the mutation annotations applied and prints a message if annotation exists. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Kubernetes | 6bcd4321-fb89-4e3e-bf6c-999c13d47f43 | [Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present. | Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Kubernetes | d77df159-718b-4aca-b94b-8e8890a98231 | [Preview]: Sets Privilege escalation in the Pod spec to false. | Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-07-09 18:20:14 | BuiltIn | |
Security Center | ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 | Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.3 > 1.0.4) | 2024-07-09 18:20:14 | BuiltIn | |
Managed Grafana | bc33de80-97cd-4c11-b6b4-d075e03c7d60 | Configure Azure Managed Grafana workspaces with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Managed Grafana, you can reduce data leakage risks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2024-06-28 18:15:04 | BuiltIn |
Managed Grafana | 3a97e513-f75e-4230-8137-1efad4eadbbc | Azure Managed Grafana workspaces should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Managed Grafana, you can reduce data leakage risks. | Default Audit Allowed Audit, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2024-06-28 18:15:04 | BuiltIn | |
Managed Grafana | 0656cf40-485c-427b-b992-703a4ecf4f88 | Azure Managed Grafana workspaces should disable service account | Disables API keys and service account for automated workloads in Grafana workspace. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-28 18:15:04 | BuiltIn | |
Managed Grafana | a08f2347-fe9c-482b-a944-f6a0e05124c0 | Azure Managed Grafana workspaces should disable Grafana Enterprise upgrade | Disables Grafana Enterprise upgrade in Grafana workspace. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-28 18:15:04 | BuiltIn | |
Managed Grafana | b6752a42-6fc3-46cb-8a15-33aa109407b1 | Azure Managed Grafana workspaces should disable email settings | Disables SMTP settings configuration of email contact point for alerting in Grafana workspace. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-28 18:15:04 | BuiltIn | |
Kubernetes | 28257686-e9db-403e-b9e2-a5eecbe03da9 | Azure Kubernetes Clusters should disable SSH | Disable SSH gives you the ability to secure your cluster and reduce the attack surface. To learn more, visit: aka.ms/aks/disablessh | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-06-24 18:15:26 | BuiltIn | |
Network | 610b6183-5f00-4d68-86d2-4ab4cb3a67a5 | [Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows | This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2024-06-14 18:20:16 | BuiltIn | |
Network | 632d3993-e2c0-44ea-a7db-2eca131f356d | [Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway | This policy is deprecated because sometimes it is impractical to enable all WAF rules. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Minor, new suffix: deprecated (1.0.1 > 1.1.0-deprecated) | 2024-06-14 18:20:16 | BuiltIn | |
PostgreSQL | 78ed47da-513e-41e9-a088-e829b373281d | Deploy Diagnostic Settings for PostgreSQL flexible servers to Log Analytics workspace | Deploys the diagnostic settings for PostgreSQL flexible servers to stream to a regional Log Analytics workspace when any PostgreSQL flexible servers which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
add |
new Policy | 2024-06-14 18:20:16 | BuiltIn |
Network | f516dc7a-4543-4d40-aad6-98f76a706b50 | [Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium | This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2024-06-14 18:20:16 | BuiltIn | |
Guest Configuration | d96163de-dbe0-45ac-b803-0e9ca0f5764e | Windows machines should configure Windows Defender to update protection signatures within one day | To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy is not applied to Arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2024-06-14 18:20:16 | BuiltIn | |
Guest Configuration | 2454bbee-dc19-442f-83fc-7f3114cafd91 | [Deprecated]: Windows machines should use the default NTP server | This policy is deprecated because Microsoft 365 App Compliance Program no longer checks the default NTP server on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2024-06-14 18:20:16 | BuiltIn | |
Guest Configuration | b3248a42-b1c1-41a4-87bc-8bad3d845589 | Windows machines should enable Windows Defender Real-time protection | Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy is not applicable to arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch (1.0.0 > 1.0.1) | 2024-06-14 18:20:16 | BuiltIn | |
Guest Configuration | 3810e389-1d92-4f77-9267-33bdcf0bd225 | [Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day | This policy is deprecated because Microsoft 365 App Compliance Program no longer checks schedule frequency on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.2.0 > 1.3.0-deprecated) | 2024-06-14 18:20:16 | BuiltIn | |
SQL | 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 | Public network access should be disabled for PostgreSQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.0.1 > 3.1.0) | 2024-06-14 18:20:16 | BuiltIn | |
PostgreSQL | ce39a96d-bf09-4b60-8c32-e85d52abea0f | A Microsoft Entra administrator should be provisioned for PostgreSQL flexible servers | Audit provisioning of a Microsoft Entra administrator for your PostgreSQL flexible server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-06-14 18:20:16 | BuiltIn | |
Network | 6484db87-a62d-4327-9f07-80a2cbdf333a | [Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) | This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2024-06-14 18:20:16 | BuiltIn | |
Network | f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf | [Deprecated]: Subscription should configure the Azure Firewall Premium to provide additional layer of protection | This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2024-06-14 18:20:16 | BuiltIn | |
Network | a58ac66d-92cb-409c-94b8-8e48d7a96596 | [Deprecated]: Azure firewall policy should enable TLS inspection within application rules | This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2024-06-14 18:20:16 | BuiltIn | |
PostgreSQL | 12c74c95-0efd-48da-b8d9-2a7d68470c92 | PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-14 18:20:16 | BuiltIn | |
Network | 711c24bb-7f18-4578-b192-81a6161e1f17 | [Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection | This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) | 2024-06-14 18:20:16 | BuiltIn | |
PostgreSQL | 4eb5e667-e871-4292-9c5d-8bbb94e0c908 | Auditing with PgAudit should be enabled for PostgreSQL flexible servers | This policy helps audit any PostgreSQL flexible servers in your environment which is not enabled to use pgaudit. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-06-14 18:20:16 | BuiltIn | |
PostgreSQL | a43d5475-c569-45ce-a268-28fa79f4e87a | PostgreSQL flexible servers should be running TLS version 1.2 or newer | This policy helps audit any PostgreSQL flexible servers in your environment which is running with TLS version less than 1.2. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-06-14 18:20:16 | BuiltIn | |
Security Center | 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.6.0 > 1.7.0) | 2024-06-10 18:18:08 | BuiltIn |
Kubernetes | 64def556-fbad-4622-930e-72d1d5589bf5 | Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Defender Kubernetes Agent Operator •Kubernetes Agent Operator |
change |
Minor (4.1.0 > 4.2.0) | 2024-06-10 18:18:08 | BuiltIn |
Security Center | Deploy-ASC-SecurityContacts | Deploy Microsoft Defender for Cloud Security Contacts | Deploy Microsoft Defender for Cloud Security Contacts | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Security Admin |
change |
Major (1.1.0 > 2.0.0) | 2024-06-10 18:18:08 | ALZ |
DevOpsInfrastructure | 0d6d79a8-8406-4e87-814d-2dcd83b2c355 | [Preview]: Microsoft Managed DevOps Pools should be provided with valid subnet resource in order to configure with own virtual network. | Disallows creating Pool resources if a valid subnet resource is not provided. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-10 18:18:08 | BuiltIn | |
Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.5.0 > 1.6.0) | 2024-06-10 18:18:08 | BuiltIn |
Security Center | da0fd392-9669-4ad4-b32c-ca46aaa6c21f | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.4.0 > 1.5.0) | 2024-06-10 18:18:08 | BuiltIn |
Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.6.0 > 1.7.0) | 2024-06-10 18:18:08 | BuiltIn |
General | DenyAction-DeleteResources | Do not allow deletion of specified resource and resource type | This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect. | Default DenyAction Allowed DenyAction, Disabled |
add |
new Policy | 2024-06-06 18:16:12 | ALZ | |
Monitoring | Deploy-Diagnostics-EventGridSystemTopic | [Deprecated]: Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace | Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Storage | Deny-Storage-LocalUser | Local users should be restricted for Storage Accounts | Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Storage | Deny-Storage-ResourceAccessRulesTenantId | Resource Access Rules Tenants should be restricted for Storage Accounts | Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-MlWorkspace | [Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace | Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Network | Audit-PrivateLinkDnsZones | Audit or Deny the creation of Private Link Private DNS Zones | This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch (1.0.1 > 1.0.2) | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-SQLMI | [Deprecated]: Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace | Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-TrafficManager | [Deprecated]: Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace | Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-Relay | [Deprecated]: Deploy Diagnostic Settings for Relay to Log Analytics workspace | Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-ApplicationGateway | [Deprecated]: Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace | Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-ApiForFHIR | [Deprecated]: Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace | Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-APIMgmt | [Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace | Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-HDInsight | [Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace | Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-DataFactory | [Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace | Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Guest Configuration | e22a2f03-0534-4d10-8ea0-aa25a6113233 | Configure SSH security posture for Linux (powered by OSConfig) | This policy audits and configures SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Guest Configuration Resource Contributor |
add |
new Policy | 2024-06-03 17:39:43 | BuiltIn |
Logic Apps | Deploy-LogicApp-TLS | Configure Logic apps to use the latest TLS version | Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Website Contributor |
add |
new Policy | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-Bastion | [Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace | Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Network | Deny-AzFw-Without-Policy | Azure Firewall should have a default Firewall Policy | This policy denies the creation of Azure Firewall without a default Firewall Policy. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-AVDScalingPlans | [Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace | Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-DLAnalytics | [Deprecated]: Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Network | Modify-UDR | Enforce specific configuration of User-Defined Routes (UDR) | This policy enforces the configuration of User-Defined Routes (UDR) within a subnet. | Default Modify Allowed Modify, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-EventGridTopic | [Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace | Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Security Center | 0961003e-5a0a-4549-abde-af6a37f2724d | [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources | This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (2.0.3 > 2.1.0-deprecated) | 2024-06-03 17:39:43 | BuiltIn | |
Network | Deny-AppGw-Without-Tls | Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2 | This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2 | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-PowerBIEmbedded | [Deprecated]: Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace | Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Logic Apps | Deny-LogicApps-Without-Https | Logic app should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Logic Apps | Deny-LogicApp-Public-Network | Logic apps should disable public network access | Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
App Service | Deny-AppService-without-BYOC | App Service certificates must be stored in Key Vault | App Service (including Logic apps and Function apps) must use certificates stored in Key Vault | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-WVDAppGroup | [Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace | Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated) | 2024-06-03 17:39:43 | ALZ |
Security Center | Deploy-MDFC-Arc-Sql-DefenderSQL-DCR | [Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW | Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (63d03cbd-47fd-4ee1-8a1c-9ddf07303de0) BuiltIn |
2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-VNetGW | [Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace | Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-RedisCache | [Deprecated]: Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace | Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Storage | Deny-Storage-CorsRules | Storage Accounts should restrict CORS rules | Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-SQLElasticPools | [Deprecated]: Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace | Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Network | Modify-NSG | Enforce specific configuration of Network Security Groups (NSG) | This policy enforces the configuration of Network Security Groups (NSG). | Default Modify Allowed Modify, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2024-06-03 17:39:43 | ALZ |
Storage | Deny-Storage-ServicesEncryption | Encryption for storage services should be enforced for Storage Accounts | Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Networking | Deploy-Private-DNS-Generic | Deploy-Private-DNS-Generic | Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Network Contributor |
add |
new Policy | 2024-06-03 17:39:43 | ALZ |
Cognitive Services | Deny-CognitiveServices-Resource-Kinds | Only explicit kinds for Cognitive Services should be allowed | Azure Cognitive Services should only create explicit allowed kinds. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Cognitive Services | Deny-CognitiveServices-RestrictOutboundNetworkAccess | Outbound network access should be restricted for Cognitive Services | Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Security Center | Deploy-MDFC-Arc-SQL-DCR-Association | [Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR | Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR (2227e1f1-23dd-4c3a-85a9-7024a401d8b2) BuiltIn |
2024-06-03 17:39:43 | ALZ |
Storage | Deny-Storage-minTLS | [Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled | Audit requirement of Secure transfer in your storage account. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html and https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html | Default Deny Allowed Audit, Deny, Disabled |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Policy (fe83a0eb-a853-422d-aac2-1bffd182c5d0,404c3081-a854-4457-ae30-26a93ef643f9) |
2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-TimeSeriesInsights | [Deprecated]: Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace | Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-PostgreSQL | [Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace | Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-Function | [Deprecated]: Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace | Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-NIC | [Deprecated]: Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace | Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Storage | Deny-Storage-NetworkAclsBypass | Network ACL bypass option should be restricted for Storage Accounts | Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Network | Deny-Service-Endpoints | Deny or Audit service endpoints on subnets | This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-Website | [Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace | Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-Databricks | [Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace | Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.3.0 > 1.3.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
SQL | fa498b91-8a7e-4710-9578-da944c68d1fe | [Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled | Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure PostgreSQL flexible server can exclusively be accessed by Microsoft Entra identities. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | BuiltIn | |
Security Center | Deploy-MDFC-SQL-DefenderSQL-DCR | [Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW | Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated) Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (04754ef9-9ae3-4477-bf17-86ef50026304) BuiltIn |
2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-iotHub | [Deprecated]: Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace | Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Event Hub | Deny-EH-Premium-CMK | Event Hub namespaces (Premium) should use a customer-managed key for encryption | Event Hub namespaces (Premium) should use a customer-managed key for encryption. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-CognitiveServices | [Deprecated]: Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace | Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-AnalysisService | [Deprecated]: Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace | Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Cognitive Services | Deny-CognitiveServices-NetworkAcls | Network ACLs should be restricted for Cognitive Services | Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-VirtualNetwork | [Deprecated]: Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace | Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Security Center | Deploy-MDFC-SQL-AMA | [Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Configure SQL Virtual Machines to automatically install Azure Monitor Agent (f91991d1-5383-4c95-8ee5-5ac423dd8bb1) BuiltIn |
2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-ExpressRoute | [Deprecated]: Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace | Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Event Hub | Deny-EH-minTLS | Event Hub namespaces should use a valid TLS version | Event Hub namespaces should use a valid TLS version. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-WebServerFarm | [Deprecated]: Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace | Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
API Management | Deny-APIM-TLS | API Management services should use TLS version 1.2 | Azure API Management service should use TLS version 1.2 | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-MediaService | [Deprecated]: Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace | Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-CDNEndpoints | [Deprecated]: Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace | Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-ACR | [Deprecated]: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace | Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-Firewall | [Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace | Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-LoadBalancer | [Deprecated]: Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace | Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-ACI | [Deprecated]: Deploy Diagnostic Settings for Container Instances to Log Analytics workspace | Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-VWanS2SVPNGW | [Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace | Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Storage | Deny-Storage-CopyScope | Allowed Copy scope should be restricted for Storage Accounts | Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-FrontDoor | [Deprecated]: Deploy Diagnostic Settings for Front Door to Log Analytics workspace | Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-WVDWorkspace | [Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace | Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-VM | [Deprecated]: Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace | Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-SignalR | [Deprecated]: Deploy Diagnostic Settings for SignalR to Log Analytics workspace | Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-AA | [Deprecated]: Deploy Diagnostic Settings for Automation to Log Analytics workspace | Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-DataExplorerCluster | [Deprecated]: Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace | Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Storage | Deny-Storage-NetworkAclsVirtualNetworkRules | Virtual network rules should be restricted for Storage Accounts | Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-MySQL | [Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace | Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Storage | Deny-Storage-ResourceAccessRulesResourceId | Resource Access Rules resource IDs should be restricted for Storage Accounts | Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-EventGridSub | [Deprecated]: Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace | Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Storage | Deny-Storage-ContainerDeleteRetentionPolicy | Storage Accounts should use a container delete retention policy | Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection. | Default Deny Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-06-03 17:39:43 | ALZ | |
Monitoring | Deploy-Diagnostics-WVDHostPools | [Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace | Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.3.0 > 1.3.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-NetworkSecurityGroups | [Deprecated]: Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace | Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-CosmosDB | [Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace | Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-VMSS | [Deprecated]: Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace | Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Managed Identity | Deploy-UserAssignedManagedIdentity-VMInsights | [Deprecated]: Deploy User Assigned Managed Identity for VM Insights | Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-LogAnalytics | [Deprecated]: Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace | Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Security Center | Deploy-MDFC-SQL-DefenderSQL | [Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL (ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce) BuiltIn |
2024-06-03 17:39:43 | ALZ |
Monitoring | Deploy-Diagnostics-LogicAppsISE | [Deprecated]: Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace | Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) | 2024-06-03 17:39:43 | ALZ |
Cost Optimization | Audit-PublicIpAddresses-UnusedResourcesCostOptimization | Unused Public IP addresses driving cost should be avoided | Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. | Default Audit Allowed Audit, Disabled |
change |
Minor (1.0.0 > 1.1.0) | 2024-06-03 17:39:43 | ALZ | |
Azure Update Manager | 9905ca54-1471-49c6-8291-7582c04cd4d4 | [Preview]: Set prerequisite for Scheduling recurring updates on Azure virtual machines. | This policy will set the prerequisite needed to schedule recurring updates on Azure Update Manager by configuring patch orchestration to 'Customer Managed Schedules'. This change will automatically set the patch mode to 'AutomaticByPlatform' and enables 'BypassPlatformSafetyChecksOnUserSchedule' to 'True' on Azure VMs. The prerequisite is not applicable for Arc-enabled servers. Learn more - https://learn.microsoft.com/en-us/azure/update-manager/dynamic-scope-overview?tabs=avms#prerequisites | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-05-27 16:38:31 | BuiltIn |
PostgreSQL | c29c38cb-74a7-4505-9a06-e588ab86620a | Enforce SSL connection should be enabled for PostgreSQL flexible servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL flexible server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database flexible server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your PostgreSQL flexible server. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-05-27 16:38:31 | BuiltIn | |
Azure Update Manager | ba0df93e-e4ac-479a-aac2-134bbae39a1a | Schedule recurring updates using Azure Update Manager | You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (3.10.0 > 3.12.0) | 2024-05-27 16:38:31 | BuiltIn |
PostgreSQL | 5375a5bb-22c6-46d7-8a43-83417cfb4460 | Private endpoint should be enabled for PostgreSQL flexible servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-05-27 16:38:31 | BuiltIn | |
Cosmos DB | 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb | Azure Cosmos DB accounts should have firewall rules | Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. | Default Deny Allowed Audit, Deny, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2024-05-27 16:38:31 | BuiltIn | |
PostgreSQL | 70be9e12-c935-49ac-9bd8-fd64b85c1f87 | Log checkpoints should be enabled for PostgreSQL flexible servers | This policy helps audit any PostgreSQL flexible servers in your environment without log_checkpoints setting enabled. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-05-27 16:38:31 | BuiltIn | |
PostgreSQL | 1d14b021-1bae-4f93-b36b-69695e14984a | Disconnections should be logged for PostgreSQL flexible servers | This policy helps audit any PostgreSQL flexible servers in your environment without log_disconnections enabled. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-05-27 16:38:31 | BuiltIn | |
PostgreSQL | dacf07fa-0eea-4486-80bc-b93fae88ac40 | Connection throttling should be enabled for PostgreSQL flexible servers | This policy helps audit any PostgreSQL flexible servers in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-05-27 16:38:31 | BuiltIn | |
PostgreSQL | cee2f9fd-3968-44be-a863-bd62c9884423 | Geo-redundant backup should be enabled for Azure Database for PostgreSQL flexible servers | Azure Database for PostgreSQL flexible servers allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-05-27 16:38:31 | BuiltIn | |
PostgreSQL | 086709ac-11b5-478d-a893-9567a16d2ae3 | Log connections should be enabled for PostgreSQL flexible servers | This policy helps audit any PostgreSQL flexible servers in your environment without log_connections setting enabled. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-05-27 16:38:31 | BuiltIn | |
Cosmos DB | 12339a85-a25c-4f17-9f82-4766f13f5c4c | Azure Cosmos DB accounts should not allow traffic from all Azure data centers | Disallow the IP Firewall rule, '0.0.0.0', which allows for all traffic from any Azure data centers. Learn more at https://aka.ms/cosmosdb-firewall | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-05-17 18:03:56 | BuiltIn | |
ChangeTrackingAndInventory | ad1eeff9-20d7-4c82-a04e-903acab0bfc1 | Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-05-17 18:03:56 | BuiltIn |
ChangeTrackingAndInventory | 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 | Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.4.0-preview > 1.5.0-preview) | 2024-05-17 18:03:56 | BuiltIn |
ChangeTrackingAndInventory | b73e81f3-6303-48ad-9822-b69fc00c15ef | [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.3.0-preview > 1.4.0-preview) | 2024-05-17 18:03:56 | BuiltIn |
ChangeTrackingAndInventory | 4485d24b-a9d3-4206-b691-1fad83bc5007 | [Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-05-17 18:03:56 | BuiltIn |
Backup | 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.2.0 > 9.3.0) | 2024-05-13 17:44:58 | BuiltIn |
Guest Configuration | a8f3e6a6-dcd2-434c-b0f7-6f309ce913b4 | Audit SSH security posture for Linux (powered by OSConfig) | This policy audits SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-05-13 17:44:58 | BuiltIn | |
Backup | 09ce66bc-1220-4153-8104-e3f51c936913 | Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.2.0 > 9.3.0) | 2024-05-13 17:44:58 | BuiltIn |
Security Center | 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 | Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR | Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2024-05-13 17:44:58 | BuiltIn |
Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.2.0 > 4.3.0) | 2024-05-13 17:44:58 | BuiltIn |
Backup | bdff5235-9f40-4a32-893f-38a03d5d607c | [Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag. | Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters containing a given tag. Doing this can help you manage Backup of AKS Clusters at scale. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2024-05-13 17:44:58 | BuiltIn |
Backup | 345fa903-145c-4fe1-8bcd-93ec2adccde8 | Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location | Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.2.0 > 9.3.0) | 2024-05-13 17:44:58 | BuiltIn |
Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.6.0 > 3.7.0) | 2024-05-13 17:44:58 | BuiltIn |
Backup | 9a021087-bba6-42fd-b535-bba75297566b | [Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag. | Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters without a particular tag value. Doing this can help you manage Backup of AKS Clusters at scale. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Owner |
add |
new Policy | 2024-05-13 17:44:58 | BuiltIn |
Security Center | 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.5.0 > 1.6.0) | 2024-05-13 17:44:58 | BuiltIn |
Backup | 6e68865f-f3cd-48ec-9bba-54795672eaa4 | [Preview]: Configure backup for Azure Disks (Managed Disks) without a given tag to an existing backup vault in the same region | Enforce backup for all Azure Disks (Managed Disks) that do not contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Backup Contributor |
add |
new Policy | 2024-05-13 17:44:58 | BuiltIn |
Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.2.0 > 4.3.0) | 2024-05-13 17:44:58 | BuiltIn |
Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.5.0 > 1.6.0) | 2024-05-13 17:44:58 | BuiltIn |
Backup | 83644c87-93dd-49fe-bf9f-6aff8fd0834e | Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. | Default DeployIfNotExists Allowed auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |
count: 002 •Backup Contributor •Virtual Machine Contributor |
change |
Minor (9.2.0 > 9.3.0) | 2024-05-13 17:44:58 | BuiltIn |
Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.6.0 > 3.7.0) | 2024-05-13 17:44:58 | BuiltIn |
Security Center | 09963c90-6ee7-4215-8d26-1cc660a1682f | Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.5.0 > 1.6.0) | 2024-05-13 17:44:58 | BuiltIn |
Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (6.3.0 > 6.4.0) | 2024-05-13 17:44:58 | BuiltIn |
Security Center | cfdc5972-75b3-4418-8ae1-7f5c36839390 | Configure Microsoft Defender for Storage to be enabled | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Minor (1.2.0 > 1.3.0) | 2024-05-13 17:44:58 | BuiltIn |
Monitoring | c84e5349-db6d-4769-805e-e14037dab9b5 | Deploy Diagnostic Settings for Batch Account to Log Analytics workspace | Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-05-13 17:44:58 | BuiltIn |
Security Center | f91991d1-5383-4c95-8ee5-5ac423dd8bb1 | Configure SQL Virtual Machines to automatically install Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.3.0 > 1.4.0) | 2024-05-13 17:44:58 | BuiltIn |
Backup | 7b5a3b1d-d2e1-4c0b-9f3b-ad0b9a2283f4 | [Preview]: Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region | Enforce backup for all Azure Disks (Managed Disks) that contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Backup Contributor |
add |
new Policy | 2024-05-13 17:44:58 | BuiltIn |
Security Center | 6e2593d9-add6-4083-9c9b-4b7d2188c899 | Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2024-05-13 17:44:58 | BuiltIn | |
Security Center | ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL | Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (1.3.0 > 1.4.0) | 2024-05-13 17:44:58 | BuiltIn |
Monitoring | 2e3285f9-ae82-4f69-b83f-5b6f1ee69f3a | Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Playwright Testing (microsoft.azureplaywrightservice/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 944eae3e-6b16-4864-86e1-1b23d58386d5 | Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 567c93f7-3661-494f-a30f-0a94d9bfebf8 | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | dcb324b0-3bfa-4df4-b476-64122bde219e | Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Scaling plans (microsoft.desktopvirtualization/scalingplans). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a853abad-dfa4-4bf5-aaa1-04cb10c02d23 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 71153be3-4742-4aae-9aec-150f7589311b | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5cfb9e8a-2f13-40bd-a527-c89bc596d299 | Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/workspaces/onlineendpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3234ff41-8bec-40a3-b5cb-109c95f1c8ce | Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual networks (microsoft.network/virtualnetworks). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 9cbc4c60-0db8-483c-999b-0f017a01a56b | Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid System Topics (microsoft.eventgrid/systemtopics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 6b2899d8-5fdf-4ade-ba59-f1f82664877b | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 454c7d4b-c141-43f1-8c81-975ebb15a9b5 | Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Databricks Services (microsoft.databricks/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 28e2d787-b5f4-43cf-8cb7-11b54773d379 | Enable logging by category group for microsoft.network/networkmanagers/ipampools to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networkmanagers/ipampools. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 4cabf9fc-4ed1-4990-bbaf-7248fb8751bc | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a12e0815-0735-48d9-b5b3-8a3b60a85b86 | Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SCOPE pools (microsoft.synapse/workspaces/scopepools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0277b2d5-6e6f-4d97-9929-a5c4eab56fd7 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a142867f-3142-4ac6-b952-ab950a29fca5 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 92012204-a7e4-4a95-bbe5-90d0d3e12735 | Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application gateways (microsoft.network/applicationgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 85779c9a-7fdf-4294-937c-ded183166fa8 | Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container instances (microsoft.containerinstance/containergroups). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f873a711-0322-4744-8322-7e62950fbec2 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | eb2fea88-fa7b-4531-a4c1-428c618fbcc8 | Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 2cc39a57-5106-4d41-b872-55c2b9d7b729 | Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP Prefixes (microsoft.network/publicipprefixes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 20a921eb-1c4b-4bb7-a78f-6653ad293dba | Enable logging by category group for microsoft.network/networksecurityperimeters to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/networksecurityperimeters. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e6421995-539a-4ce3-854b-1c88534396cf | Enable logging by category group for microsoft.networkcloud/baremetalmachines to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/baremetalmachines. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | bfc6b185-2af1-4998-a32e-c0144792eeb2 | Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Service Environments (microsoft.web/hostingenvironments). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | c29fe1b2-c0b0-4d92-a988-84b484801707 | Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Network Managers (microsoft.network/networkmanagers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 415eaa04-e9db-476a-ba43-092d70ebe1e7 | Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bot Services (microsoft.botservice/botservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | be9259e2-a221-4411-84fd-dd22c6691653 | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a271e156-b295-4537-b01d-09675d9e7851 | Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ed251afd-72b1-4e41-b6c9-6614420f1207 | Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Shares (microsoft.datashare/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 96abcdc6-3c5a-4b0f-b031-9a4c1f36c9a6 | Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Synapse Analytics (microsoft.synapse/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a7c668bd-3327-474f-8fb5-8146e3e40e40 | Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Host pools (microsoft.desktopvirtualization/hostpools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 4d46b9c1-0a86-41bf-aaf2-74d0ebf8ce66 | Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.cdn/cdnwebapplicationfirewallpolicies. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 63f9b4b2-de99-4b16-ad94-1a5464ac4f7d | Enable logging by category group for microsoft.synapse/workspaces/kustopools to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.synapse/workspaces/kustopools. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 887d1795-3d3d-4859-9ef4-9447392db2ea | Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application gateways (microsoft.network/applicationgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | aaa4560d-9580-4804-a5e5-b9ffb469d49e | Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Data Explorer Clusters (microsoft.kusto/clusters). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 02f64cac-bab0-4950-bb95-51f2d3970efa | Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.timeseriesinsights/environments/eventsources. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b15247e4-f83b-48b2-b34e-8ea6148a0f34 | Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0983eb33-77d7-47e5-9fa7-879f8cea012e | Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Notification Hub Namespaces (microsoft.notificationhubs/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 65a1573e-cc90-412b-8db2-ba60731b0ea6 | Enable logging by category group for microsoft.customproviders/resourceproviders to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.customproviders/resourceproviders. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a83fcddb-39d0-4c21-af38-76d2c935c3ca | Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.timeseriesinsights/environments/eventsources. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0509e2d8-d657-4563-a7c8-b88b9180a6e8 | Enable logging by category group for microsoft.community/communitytrainings to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.community/communitytrainings. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a2361fd4-721d-4be2-9910-53be250b99ad | Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP Prefixes (microsoft.network/publicipprefixes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 94d707a8-ce27-4851-9ce2-07dfe96a095b | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 1d98c506-1460-4424-9006-84210fa5214a | Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 6b80a35d-1e9a-43ac-9e0b-4519ce9f09b4 | Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for HPC caches (microsoft.storagecache/caches). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f3977509-4420-4dfa-b1c9-2ab38dfd530f | Enable logging by category group for microsoft.d365customerinsights/instances to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.d365customerinsights/instances. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a1a5f3c5-d01a-459c-8398-a3c9a79ad879 | Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Video Indexer (microsoft.videoindexer/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 041e904a-33e5-45fd-b3f6-4ac95f1f8761 | Enable logging by category group for microsoft.devices/provisioningservices to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.devices/provisioningservices. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | d8a9593e-791e-4fd7-9b22-a75b76e5de17 | Enable logging by category group for microsoft.documentdb/mongoclusters to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.documentdb/mongoclusters. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 29565b0a-e1b5-49c1-94bf-b8b258656460 | Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e92686fd-65f0-420f-a52b-7da14f3cef90 | Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Recovery Services vaults (microsoft.recoveryservices/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 601e350d-405c-41d0-a886-72c283f8fab2 | Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Network security groups (microsoft.network/networksecuritygroups). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 7860f3fe-0db3-42d4-bf3d-7042ea5e5787 | Enable logging by category group for microsoft.dbformysql/flexibleservers to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbformysql/flexibleservers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3a8ff864-d881-44ce-bed3-0c63ede634cb | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 23673f24-2594-43e9-9983-60a0be21bd76 | Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network Managers (microsoft.network/networkmanagers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 8963c37c-1113-4f1b-ae2e-3a5dd960a7f1 | Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.timeseriesinsights/environments/eventsources. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 856331d3-0169-4dd9-9b04-cbb2ad3d1cf2 | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 14ed86b4-ea45-4b1b-98a5-eb8f5f7da726 | Enable logging by category group for microsoft.openenergyplatform/energyservices to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.openenergyplatform/energyservices. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 14e81583-c89c-47db-af0d-f9ddddcccd9f | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ac27709a-8e3a-4abf-8122-877af1dd9209 | Enable logging by category group for microsoft.insights/autoscalesettings to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.insights/autoscalesettings. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 887dc342-c6bd-418b-9407-ab0e27deba36 | Enable logging by category group for microsoft.synapse/workspaces/kustopools to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.synapse/workspaces/kustopools. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 590b6105-4715-4e8b-8049-c5a4ae07d8e9 | Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | fea83f6c-a18a-4338-8f1f-80ecba4c5643 | Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Backup vaults (microsoft.dataprotection/backupvaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b4545446-0cac-4af5-b591-61544b66e802 | Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Workspaces (microsoft.desktopvirtualization/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 7806c8b4-afc9-4a35-b9a9-3707413df35e | Enable logging by category group for microsoft.insights/autoscalesettings to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.insights/autoscalesettings. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ca05d7f2-6625-4cc3-a65a-4931b45ff139 | Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bot Services (microsoft.botservice/botservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | db20d5eb-782b-4c4d-b668-06816ec72c58 | Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f8352124-56fa-4f94-9441-425109cdc14b | Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 339855ce-39c1-4a70-adc9-103ea7aac99f | Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Firewalls (microsoft.network/azurefirewalls). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 2853b2ac-3ce0-4e51-a1e3-086591e7028a | Enable logging by category group for Relays (microsoft.relay/namespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Relays (microsoft.relay/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 79494980-ea12-4ca1-8cca-317e942b6da2 | Enable logging by category group for Application Insights (microsoft.insights/components) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (microsoft.insights/components). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f969646f-b6b8-45a0-b736-bf9b4bb933dc | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5d487647-6a53-4839-8eb8-edccf5e6bf1d | Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Live events (microsoft.media/mediaservices/liveevents). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ec51b91e-e03d-4435-b6e7-dcaffe6ba5c0 | Enable logging by category group for microsoft.customproviders/resourceproviders to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.customproviders/resourceproviders. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | d16cdb9f-e2a8-4002-88f6-9eeaea1766f7 | Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e1598217-5ff1-4978-b51d-f0238e100019 | Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/servergroupsv2. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a6d488fc-3520-4ec8-9cf6-c5e78d677651 | Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 9529ceaf-8c7e-4149-bcb6-f38f63c5e4bd | Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ba00f5fb-98f7-4542-b88a-16c5ce44f26a | Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.autonomousdevelopmentplatform/workspaces. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 005380e0-1f5b-467a-8ae8-8519938627f9 | Enable logging by category group for microsoft.networkcloud/storageappliances to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/storageappliances. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 1888f765-327a-4a8d-9816-968b34ea8b78 | Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 8d42b501-dd03-449d-a070-32d1db2e546b | Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed databases (microsoft.sql/managedinstances/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a474a6be-35da-4c8a-ae97-f97d03bbd213 | Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Dev centers (microsoft.devcenter/devcenters). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Azure Update Manager | 9905ca54-1471-49c6-8291-7582c04cd4d4 | [Preview]: Set prerequisite for Scheduling recurring updates on Azure virtual machines. | This policy will set the prerequisite needed to schedule recurring updates on Azure Update Manager by configuring patch orchestration to 'Customer Managed Schedules'. This change will automatically set the patch mode to 'AutomaticByPlatform' and enables 'BypassPlatformSafetyChecksOnUserSchedule' to 'True' on Azure VMs. The prerequisite is not applicable for Arc-enabled servers. Learn more - https://learn.microsoft.com/en-us/azure/update-manager/dynamic-scope-overview?tabs=avms#prerequisites | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 7646801f-46d5-48d0-9e18-efb884944f3e | Enable logging by category group for microsoft.customproviders/resourceproviders to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.customproviders/resourceproviders. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 819c6fd1-432a-4516-a9cb-0c4462af610f | Enable logging by category group for microsoft.powerbi/tenants/workspaces to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.powerbi/tenants/workspaces. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 557c828f-aa51-40d9-868a-cff8d3982818 | Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 9dc3e252-1cff-4ae5-bcad-5a92b7167d43 | Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service Environments (microsoft.web/hostingenvironments). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 1aa5a06a-0cee-4598-8200-94755d500381 | Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 6af023b1-4841-4b54-8f3d-69caa4e558cb | Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application groups (microsoft.desktopvirtualization/applicationgroups). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | de5d5895-642e-4d19-a14e-08a67b2dd152 | Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | aa78af66-1659-40aa-90b0-b35b616adbdc | Enable logging by category group for microsoft.networkanalytics/dataproducts to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkanalytics/dataproducts. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | bbf47f27-95e4-46a0-82e1-898ce046d857 | Enable logging by category group for microsoft.azuresphere/catalogs to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.azuresphere/catalogs. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ca09affa-60d6-4cef-9037-b7372e1ac44f | Enable logging by category group for microsoft.network/vpngateways to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/vpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 2453e322-a7e5-4905-ba1e-ac6ea60ff808 | Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3d9b8097-326d-4675-8cff-cce4580c9208 | Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 9fcae8ed-246a-407b-8f75-f3500ff2c9db | Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Batch accounts (microsoft.batch/batchaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b90ec596-faa6-4c61-9515-34085703e260 | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 99b76532-523c-44da-8d28-3af059fd7fbb | Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 64948b6b-409d-4af2-970f-3b80fea408c1 | Enable logging by category group for microsoft.networkcloud/clusters to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/clusters. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 9c79e60b-99f2-49f3-b08c-630d269bddc1 | Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure AD Domain Services (microsoft.aad/domainservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 13bf624e-fe24-40f0-9a7c-066e28a50871 | Enable logging by category group for microsoft.devices/provisioningservices to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.devices/provisioningservices. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | fc744b31-a930-4eb5-bc06-e81f98bf7214 | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 8fc4ca5f-6abc-4b30-9565-0bd91ac49420 | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b9d3f759-4cda-43cf-8f64-5b01aeb1c21a | Enable logging by category group for microsoft.networkcloud/clusters to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/clusters. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 78d285d5-f767-43f8-aa36-4616daaf9d51 | Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Backup vaults (microsoft.dataprotection/backupvaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f9431f54-4c78-47ef-aac9-2b37cbaeae75 | Enable logging by category group for Logic apps (microsoft.logic/workflows) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Logic apps (microsoft.logic/workflows). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 58e22268-dacf-4b7f-b445-338a7e56d23c | Enable logging by category group for Logic apps (microsoft.logic/workflows) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Logic apps (microsoft.logic/workflows). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | c5ecf495-6caa-445c-b431-04fda56c555a | Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for ExpressRoute circuits (microsoft.network/expressroutecircuits). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f48e8ce0-91bd-4d51-8aba-8990d942f999 | Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b797045a-b3cd-46e4-adc4-bbadb3381d78 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | bd0965d6-9544-406a-90b5-dc2d566670b8 | Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed databases (microsoft.sql/managedinstances/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 95f9d29c-defd-4387-b73b-5cdb4a982bf0 | Enable logging by category group for microsoft.dbformysql/flexibleservers to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbformysql/flexibleservers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 37d5d366-8544-498a-9106-00185b29a9e3 | Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.cdn/cdnwebapplicationfirewallpolicies. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 271ccc7b-8334-48c5-b90b-edf37dfb2d00 | Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data factories (V2) (microsoft.datafactory/factories). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | cd0a772a-62ba-4295-8311-d6710ebe967b | Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data collection rules (microsoft.insights/datacollectionrules). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5fbd326d-328c-414e-a922-2d6963998962 | Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/flexibleservers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0fff3e39-f422-45b0-b497-33a05b996d3e | Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid System Topics (microsoft.eventgrid/systemtopics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | aec4c33f-2f2a-4fd3-91cd-24a939513c60 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a6dd4d00-283d-4765-b3d1-44ace2ccacda | Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkfunction/azuretrafficcollectors. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | d111f33e-5cb3-414e-aec4-427e7d1080c9 | Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Analytics (microsoft.datalakeanalytics/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0b6b8abb-7761-4e02-ae0e-2c873b5152ca | Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Spring Apps (microsoft.appplatform/spring). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 47f4c5ae-1b43-4620-bcbd-65e2ee6fb7c8 | Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a9ebdeda-251a-4311-92be-5167d73b1682 | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 69e0da8f-ca50-479d-b1a8-33a31426c512 | Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Notification Hub Namespaces (microsoft.notificationhubs/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 8def4bdd-4362-4ed6-a26f-7bf8f2c58839 | Enable logging by category group for Search services (microsoft.search/searchservices) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Search services (microsoft.search/searchservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | fc66c506-9397-485e-9451-acc1525f0070 | Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 068e22bd-8057-466b-9642-7cd2ca476158 | Enable logging by category group for microsoft.timeseriesinsights/environments to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.timeseriesinsights/environments. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f5094957-e0f7-4af2-9e14-13d60141dc4a | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0b726841-c441-44ed-a2cc-d321e3be3ed7 | Enable logging by category group for microsoft.networkcloud/storageappliances to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/storageappliances. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 72d254bb-d0ed-42f2-9160-6b11b65b599c | Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 499b7900-f44e-40ea-b8d3-2f3cf75f2ca4 | Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/flexibleservers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3dd58519-427e-42a4-8ffc-e415a3c716f1 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 34705075-71e2-480c-a9cb-6e9387f47f0f | Enable logging by category group for Relays (microsoft.relay/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Relays (microsoft.relay/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e97f20f4-8bf0-4a35-a319-38f4144228f5 | Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bot Services (microsoft.botservice/botservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ae0fc3d3-c9ce-43e8-923a-a143db56d81e | Enable logging by category group for microsoft.documentdb/cassandraclusters to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/cassandraclusters. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | fa570aa1-acca-4eea-8e5a-233cf2c5e4c2 | Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Caches (microsoft.cache/redisenterprise/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | bb7bbee6-718c-4a71-a474-9f9f0e2a55e4 | Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 106cd3bd-50a1-466c-869f-f9c2d310477b | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e40b8f6f-0ecf-4c3b-b095-ba3562256e48 | Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Analysis Services (microsoft.analysisservices/servers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 1abe42e1-a726-4dee-94c2-79f364dac9b7 | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 041fdf14-0dd4-4ce0-83ff-de5456be0c85 | Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MySQL servers (microsoft.dbformysql/servers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3ce7ba9e-058f-4ce9-b4d6-22e6c1238904 | Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | cac9e1c5-c3cb-47fa-8d4c-88b8559262d2 | Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 6a664864-e2b5-413e-b930-f11caa132f16 | Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container Apps Environments (microsoft.app/managedenvironments). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 2f4d1c08-3695-41a7-a0a0-8db4a0e25233 | Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Recovery Services vaults (microsoft.recoveryservices/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 63a8eb0d-f030-4bc6-a1e4-6998f23aa160 | Enable logging by category group for microsoft.networkcloud/clusters to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/clusters. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3d034ef2-001c-46f6-a47b-e6e4a74ff89b | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 20017523-2fd1-49a8-a766-79cbc572b827 | Enable logging by category group for microsoft.timeseriesinsights/environments to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.timeseriesinsights/environments. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 68d95589-2f07-42e3-ae6d-80a2ae3edbc4 | Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Load Testing (microsoft.loadtestservice/loadtests). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 889bfebf-7428-426e-a86f-79e2a7de2f71 | Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Load balancers (microsoft.network/loadbalancers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 60579569-3633-42cb-ae6a-195080bf310d | Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkfunction/azuretrafficcollectors. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 77c56019-5c71-4d33-9ce3-7a817f2bc7fa | Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Shares (microsoft.datashare/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ae48c709-d2b4-4fad-8c5c-838524130aa4 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | c13b41e7-a45f-4600-96c0-18f84fb07771 | Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.connectedcache/enterprisemcccustomers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 751f9297-5aae-4313-af2d-2a89226a7856 | Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data factories (V2) (microsoft.datafactory/factories). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 4c9cd884-3e45-4588-ac9d-00d44be2cbcd | Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f231d9f4-9110-40eb-979e-e4eac6602be2 | Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure API for FHIR (microsoft.healthcareapis/services). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 305408ed-dd5a-43b9-80c1-9eea87a176bb | Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Synapse Analytics (microsoft.synapse/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b9c8d1de-593f-472f-b32a-7e2fe0c2374a | Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Communication Services (microsoft.communication/communicationservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ed6ae75a-828f-4fea-88fd-dead1145f1dd | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | c1c0dd3c-6354-4265-a88b-801f84649944 | Enable logging by category group for microsoft.documentdb/cassandraclusters to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.documentdb/cassandraclusters. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 8e29fe36-d794-4c55-87d6-5a206031dde2 | Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed CCF Apps (microsoft.confidentialledger/managedccfs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 1568dd08-cca0-4073-bfd8-e08a7fdc543e | Enable logging by category group for microsoft.workloads/sapvirtualinstances to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.workloads/sapvirtualinstances. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db | Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f55ffc18-72c5-479c-a998-dc6806a6fa89 | Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Host pools (microsoft.desktopvirtualization/hostpools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | d8624de8-47fe-47c0-bea0-2d8329b628fe | Enable logging by category group for microsoft.network/vpngateways to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/vpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0e4325e3-228b-40f0-83ae-9c03276858c1 | Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Connected Cache Resources (microsoft.connectedcache/ispcustomers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | dfbfceaa-14b2-4a90-a679-d169fa6a6a38 | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | da9b245a-05a9-4c2a-acb3-5afe62658776 | Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Integration accounts (microsoft.logic/integrationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | fe85de62-a656-4b79-9d94-d95c89319bd9 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 1c5187ed-9863-4961-bb92-c72bc3883e24 | Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Load Testing (microsoft.loadtestservice/loadtests). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e488a548-7afd-43a7-a903-2a6dd36e7504 | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 852877d5-b61d-4741-b649-85a324bb3fd4 | Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Shares (microsoft.datashare/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0bb5a1fb-b1ad-45fd-880e-a590f2ec8d1c | Enable logging by category group for microsoft.documentdb/cassandraclusters to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.documentdb/cassandraclusters. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | c3b912c2-7f5b-47ac-bd52-8c85a7667961 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 315c965f-c0d7-4397-86d3-c05a0981437a | Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.machinelearningservices/workspaces/onlineendpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e7c86682-34c1-488a-9aab-9cb279207992 | Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 03a087c0-b49f-4440-9ae5-013703eccc8c | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 064a3695-3197-4354-816b-65c7b952db9e | Enable logging by category group for microsoft.documentdb/mongoclusters to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/mongoclusters. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 76e7a3b8-3822-4ca2-92d8-c20616fd870b | Enable logging by category group for microsoft.powerbi/tenants/workspaces to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.powerbi/tenants/workspaces. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f7407db8-e40d-4efd-9fff-c61298e01fd5 | Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a9725bd4-a2ad-479f-a29b-5e163cada399 | Enable logging by category group for microsoft.networkcloud/baremetalmachines to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/baremetalmachines. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 8d253bba-a338-4fd9-9752-6b6edadca1eb | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 4891dace-710e-40bd-b81f-6a0b9871b50b | Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Notification Hub Namespaces (microsoft.notificationhubs/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0f708273-cf83-4d29-b31b-ebaf8d0eb8c2 | Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 73baf464-93bb-450f-bda5-209c16d28dc3 | Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3372b9c2-d179-4190-9f0c-e6f6304d0e93 | Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application groups (microsoft.desktopvirtualization/applicationgroups). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 60af09fa-d167-44da-9bfc-21a49546a7b5 | Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Backup vaults (microsoft.dataprotection/backupvaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 4f925033-4d52-4619-909c-9c47a687dc51 | Enable logging by category group for microsoft.networkcloud/storageappliances to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/storageappliances. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 84509667-1a94-4255-9e5f-b479075c1069 | Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servergroupsv2. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | fc2bb2e1-739a-4a03-86a2-16ad55e90bd9 | Enable logging by category group for microsoft.powerbi/tenants/workspaces to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.powerbi/tenants/workspaces. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 34c7546c-d637-4b5d-96ab-93fb6ed07af8 | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | d3e11828-02c8-40d2-a518-ad01508bb4d7 | Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 116b1633-30d0-4e9a-a665-8aea3dc906c6 | Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.servicenetworking/trafficcontrollers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ccdd9d7c-2bb6-465b-8ea1-5584b4af072e | Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.connectedcache/enterprisemcccustomers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | cf6ff94d-c483-4491-976a-eb784101217a | Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 83089e56-9675-4bc8-ae7d-ca4547dc764b | Enable logging by category group for microsoft.network/networksecurityperimeters to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networksecurityperimeters. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5164fdc7-cfcd-4bd8-a3e9-f4be93166cde | Enable logging by category group for microsoft.workloads/sapvirtualinstances to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.workloads/sapvirtualinstances. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ee64264d-f9e3-4a0e-bbe2-db4319aeaf42 | Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Endpoints (microsoft.cdn/profiles/endpoints). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 81039988-1f84-4aa6-8039-0a64c2a301b4 | Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Playwright Testing (microsoft.azureplaywrightservice/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | cc789f91-3e63-4cfb-86f4-87565055f269 | Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.machinelearningservices/workspaces/onlineendpoints. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0925a080-ab8d-44a1-a39c-61e184b4d8f9 | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 2e8a8853-917a-4d26-9c3a-c92a7fa031e8 | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | dfe69c56-9c12-4271-9e62-7607ab669582 | Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 10e8c93c-658d-47e8-aa6f-ed60f329c060 | Enable logging by category group for microsoft.documentdb/mongoclusters to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.documentdb/mongoclusters. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 322b6192-a99b-4ab6-9b40-43ca19dcd0d9 | Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 8464ded4-af15-4319-950f-a30400d35247 | Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Integration accounts (microsoft.logic/integrationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 244bcb20-b194-41f3-afcc-63aef382b64c | Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics (Virtual Enclaves) | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (Microsoft.Insights/components). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Patch (1.0.0 > 1.0.1) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 1118afbc-c48d-43ae-931a-87b38956d40b | Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 63d1a629-735c-448b-b45f-5e3865e84cf5 | Enable logging by category group for Logic apps (microsoft.logic/workflows) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Logic apps (microsoft.logic/workflows). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 668e9597-4ccc-452f-80be-e9dd5b2ab897 | Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Power BI Embedded (microsoft.powerbidedicated/capacities). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a26c842f-bee7-4a1f-9ae1-a973d3a0075a | Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container Apps Environments (microsoft.app/managedenvironments). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | eb5a4c26-04cb-4ab1-81cb-726dc58df772 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b70d4e3a-b1d5-4432-b058-7ea0a4c02a4e | Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.connectedcache/enterprisemcccustomers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 6f7fa8b1-4456-4d4c-94c2-1f1651b18235 | Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.classicnetwork/networksecuritygroups. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 9f4e810a-899e-4e5e-8174-abfcf15739a3 | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 35806bc0-0260-4642-bae7-0ed677b3da44 | Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Chaos Experiments (microsoft.chaos/experiments). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 2308e22a-85e9-431d-8c47-36072dfa64b5 | Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.servicenetworking/trafficcontrollers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 56288eb2-4350-461d-9ece-2bb242269dce | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 40f0d036-d73d-45a9-8c3d-f3f84d227193 | Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Batch accounts (microsoft.batch/batchaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | baa4c6de-b7cf-4b12-b436-6e40ef44c8cb | Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network security groups (microsoft.network/networksecuritygroups). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 116caf13-2666-4a2e-afca-9a5f1e671b11 | Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Power BI Embedded (microsoft.powerbidedicated/capacities). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 140ad507-70f0-43cb-a7cb-a8964341aefa | Enable logging by category group for Application Insights (microsoft.insights/components) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application Insights (microsoft.insights/components). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | acbb9698-46bd-4800-89da-e3473c4ab10d | Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Communication Services (microsoft.communication/communicationservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | be26ca28-761d-4538-b78a-975eb47c680c | Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b88bfd90-4da5-43eb-936f-ae1481924291 | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5b67d7f3-488f-42df-ab16-e38a913fcdba | Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Spring Apps (microsoft.appplatform/spring). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 75a112bc-759f-4f29-83cc-799019db39c3 | Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Load Testing (microsoft.loadtestservice/loadtests). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | bbdbb83b-cbfe-49f7-b7d1-1126630a68b7 | Enable logging by category group for microsoft.dbforpostgresql/servers to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b9b976cc-59ef-468a-807e-19afa2ebfd52 | Enable logging by category group for microsoft.network/p2svpngateways to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5a1fa110-16bc-49d0-a045-29a552b67cef | Enable logging by category group for microsoft.synapse/workspaces/kustopools to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.synapse/workspaces/kustopools. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 1bd91eae-4429-4f23-b780-8c9622e023e3 | Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure AD Domain Services (microsoft.aad/domainservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5360664a-5821-4f43-8988-3f0ed8f3f8a5 | Enable logging by category group for microsoft.networkanalytics/dataproducts to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkanalytics/dataproducts. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 50d96640-65c9-42de-b79a-95c1890c6ec8 | Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkfunction/azuretrafficcollectors. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e260a121-c160-4da3-8a0f-e2c0ff6c561e | Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e9b1fed8-35a2-47d0-b8aa-3834f5032862 | Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Synapse Analytics (microsoft.synapse/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | bdef6e51-210f-4dc3-87b4-eef30f2e6a17 | Enable logging by category group for microsoft.community/communitytrainings to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.community/communitytrainings. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b55f2e8e-dc76-4262-a0e3-45f02200ff0e | Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP Prefixes (microsoft.network/publicipprefixes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 33835ef6-bc67-4bde-bf5f-5a857f195a57 | Enable logging by category group for microsoft.machinelearningservices/registries to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/registries. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b14e31e2-22d0-48bb-907e-cfb3487e2120 | Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for HPC caches (microsoft.storagecache/caches). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 18009236-18d3-48e3-bd21-4e7630153611 | Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Connected Cache Resources (microsoft.connectedcache/ispcustomers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 234bbd1b-05f6-4639-8770-1cd5278ba2c9 | Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.autonomousdevelopmentplatform/workspaces. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f0d25196-1ea4-49e1-ad53-ccada27b4862 | Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 98569e20-8f32-4f31-bf34-0e91590ae9d3 | Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.4.0 > 1.5.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | d9f11fea-dd45-46aa-8908-b7a146f1e543 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 434b25a4-5396-41ec-97aa-1f4ae3bf269d | Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Analysis Services (microsoft.analysisservices/servers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3534c358-8a1c-4601-b6ff-43d378d65efa | Enable logging by category group for microsoft.devices/provisioningservices to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.devices/provisioningservices. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 605dd1c9-db6f-496f-ba7f-841ea3e246e0 | Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MySQL servers (microsoft.dbformysql/servers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 2f6556cb-a2da-4130-a0dd-e5d05dccf9bb | Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Video Indexer (microsoft.videoindexer/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 9b6f89db-876b-4156-9f9b-f29dcf302ad2 | Enable logging by category group for microsoft.azuresphere/catalogs to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.azuresphere/catalogs. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 69214fad-6742-49a9-8f71-ee9d269364ab | Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 2fbd2ca9-e7b2-47a0-a8b2-575f3f7607d4 | Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.cdn/cdnwebapplicationfirewallpolicies. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b6f29e6b-4b21-4bb6-a997-38592fa02864 | Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed CCF Apps (microsoft.confidentialledger/managedccfs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 20e491a1-11fe-4d11-ab4e-a81edd23672e | Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | be3ddb6b-c328-4ecd-91e8-c2804868ea9c | Enable logging by category group for microsoft.dbformysql/flexibleservers to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbformysql/flexibleservers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 2eb903dd-4881-4284-a31d-4bae3f053946 | Enable logging by category group for microsoft.community/communitytrainings to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.community/communitytrainings. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 087dbf66-448d-4235-b7b8-17af48edc9db | Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.classicnetwork/networksecuritygroups. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a21ac20a-4dd3-40e9-8036-b3351ecf9319 | Enable logging by category group for microsoft.timeseriesinsights/environments to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.timeseriesinsights/environments. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 07c818eb-df75-4465-9233-6a8667e86670 | Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 7a8afaba-cc24-4306-b83f-d178f1a10ba2 | Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Power BI Embedded (microsoft.powerbidedicated/capacities). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 90c90eda-bfe7-4c67-bf26-410420ed1047 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5a69fd36-760e-4a65-a621-836f1159e304 | Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.notificationhubs/namespaces/notificationhubs. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b4a9c220-1d62-4163-a17b-30db7d5b7278 | Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f6d5d5d5-0fa9-4257-b820-69c35016c973 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 2db34cad-25ef-48e3-a787-c2cd36434cd7 | Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 621d8969-4918-45e7-954b-2fb0b42e7059 | Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a78631da-8506-4113-96f4-2805de193083 | Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Managed Grafana (microsoft.dashboard/grafana). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 2cb215be-a09b-4623-ac2f-dfc5012b1a5b | Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for ExpressRoute circuits (microsoft.network/expressroutecircuits). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0dac4c0b-0ca4-4c6e-9a09-61917873b3b0 | Enable logging by category group for microsoft.networkcloud/baremetalmachines to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/baremetalmachines. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 22c8a30b-c5c1-4434-b837-2772543d3c3c | Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid System Topics (microsoft.eventgrid/systemtopics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 82b076b9-2062-4516-ae4c-37b1890eabb2 | Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dev centers (microsoft.devcenter/devcenters). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 50bdafe5-c7b6-4812-af5f-75dc00561aed | Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Firewalls (microsoft.network/azurefirewalls). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a05c2daf-be1f-4d2c-8a12-b3627d477b44 | Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed databases (microsoft.sql/managedinstances/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e1bf4d43-542a-4410-918d-7e61c8e1ac21 | Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e9e99d63-621a-4a33-8799-0fb53e43f162 | Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Scaling plans (microsoft.desktopvirtualization/scalingplans). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 824142d3-eccb-4b7c-8403-319610811237 | Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data collection rules (microsoft.insights/datacollectionrules). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f48c1843-fc88-47c1-9b01-4527c76c890a | Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Managed Grafana (microsoft.dashboard/grafana). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 8181847d-3422-4030-b815-481934740b63 | Enable logging by category group for microsoft.azuresphere/catalogs to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.azuresphere/catalogs. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a08af17e-c2a3-478e-a819-94839ef02b32 | Enable logging by category group for microsoft.network/networkmanagers/ipampools to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/networkmanagers/ipampools. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 8ea88471-98e1-47e4-9f63-838c990ba2f4 | Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Scaling plans (microsoft.desktopvirtualization/scalingplans). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5e6697bc-9d6d-4de9-95f9-898f130372df | Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Video Indexer (microsoft.videoindexer/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a5385dba-3caf-43da-8804-c68174d315a7 | Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 50ca36f4-5306-4275-ad42-a40ca2805c77 | Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Databricks Services (microsoft.databricks/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 76539a09-021e-4300-953b-4c6018ac26dc | Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 6f3f5778-f809-4755-9d8f-bd5a5a7add85 | Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0fdc6116-c747-449c-b9cc-330fcd4c5c9c | Enable logging by category group for microsoft.network/dnsresolverpolicies to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/dnsresolverpolicies. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 6b359d8f-f88d-4052-aa7c-32015963ecc1 | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 9ba29e83-863d-4fec-81d0-16dd87067cc3 | Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 6248cb7c-e485-42ad-ba20-b1ee8fba7674 | Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Databricks Services (microsoft.databricks/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b678d84d-9723-4df0-a131-82c730231f1e | Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Recovery Services vaults (microsoft.recoveryservices/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e0f5ec01-8979-49bf-9fd7-2a4eff9fa8e0 | Enable logging by category group for microsoft.network/vpngateways to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/vpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | d7d59290-3ee5-4c1b-b408-c38b21799aea | Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.managednetworkfabric/networkdevices. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 69ab8bfc-dc5b-443d-93a7-7531551dec66 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0e0c742d-5031-4e65-bf96-1bee7cf55740 | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3d7d0cc7-bd72-4f41-bf55-0be57faa3883 | Enable logging by category group for microsoft.dbforpostgresql/servers to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/servers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 42e5ad1f-57fd-49a7-b0e4-c7a7ae25ba3d | Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a285df35-0164-4f4d-9e04-c39056742c55 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0ba93a1b-ac4d-4e7b-976a-548a18be1e52 | Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3ca36b5c-2f29-41a0-9b1d-80e2cdf2d947 | Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Load balancers (microsoft.network/loadbalancers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ebd6e41f-c33e-4e16-9249-cee4c68e6e8c | Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.notificationhubs/namespaces/notificationhubs. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a81eb966-6696-46b1-9153-bed01569a7d0 | Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a972fe34-7882-4476-87cf-eb9631785fb5 | Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servergroupsv2. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 90425e88-1eab-420c-964e-fc1dc79833a6 | Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Batch accounts (microsoft.batch/batchaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 614d9fbd-68cd-4832-96db-3362069661b2 | Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 971199b6-1971-4d3e-85b0-fa7639044679 | Enable logging by category group for Search services (microsoft.search/searchservices) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Search services (microsoft.search/searchservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5305ea79-c247-456a-bdbd-dc35cef62ce1 | Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Dev centers (microsoft.devcenter/devcenters). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e9c56c41-d453-4a80-af93-2331afeb3d82 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 637125fd-7c39-4b94-bb0a-d331faf333a9 | Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (1.4.0 > 1.5.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 145ff119-bfcf-443a-834c-b59859ec3ee7 | Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Caches (microsoft.cache/redisenterprise/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 93a604fe-0ec2-4a99-ab8c-7ef08f05555a | Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | efa9bf93-28f9-4f05-8e8c-31b8875e9713 | Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Storage movers (microsoft.storagemover/storagemovers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 1859cd03-7f77-495d-a0ce-336a36a6830d | Enable logging by category group for Application Insights (microsoft.insights/components) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application Insights (microsoft.insights/components). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | abb62520-ee66-4bdb-96d3-49ad98c66131 | Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Spring Apps (microsoft.appplatform/spring). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 8af74447-9495-4245-8e49-f74723dcd231 | Enable logging by category group for microsoft.openenergyplatform/energyservices to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.openenergyplatform/energyservices. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 4c67a1c0-8e77-4f4b-b572-5c11695aae2d | Enable logging by category group for microsoft.d365customerinsights/instances to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.d365customerinsights/instances. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3d28ea18-8e88-4160-96ff-4b6af4fd94c7 | Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for HPC caches (microsoft.storagecache/caches). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 55d1f543-d1b0-4811-9663-d6d0dbc6326d | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 69d4fcec-8426-426a-ad48-439fd3b14e9e | Enable logging by category group for microsoft.dbforpostgresql/servers to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | d3abca82-2ae2-4707-bf5e-cfc765ce9ff1 | Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.servicenetworking/trafficcontrollers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e25bcb29-0412-42c3-a526-1ff794310a1e | Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure API for FHIR (microsoft.healthcareapis/services). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 20f21bc7-b0b8-4d57-83df-5a8a0912b934 | Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | d147ba9f-3e17-40b1-9c23-3bca478ba804 | Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | c600af08-49ff-4f7a-b5c9-0686749387b7 | Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container instances (microsoft.containerinstance/containergroups). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 7e87b2cc-1e49-4e07-a651-a2f38d4667ad | Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data collection rules (microsoft.insights/datacollectionrules). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e74570cf-1b7d-4bed-b79e-d1fd1117a39a | Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Endpoints (microsoft.cdn/profiles/endpoints). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f08edf17-5de2-4966-8c62-a50a3f4368ff | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 6ee1c58c-a123-4cd6-8643-48b2f7ffb3e1 | Enable logging by category group for microsoft.network/networkmanagers/ipampools to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networkmanagers/ipampools. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 1bd3a451-9f38-43e5-aed3-bede117c3055 | Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Lake Analytics (microsoft.datalakeanalytics/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 40ce1496-89c2-40cf-80e5-3c4687d2ee4b | Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual networks (microsoft.network/virtualnetworks). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 1cd30d13-d34c-4cb8-8f9d-4692f7d40d97 | Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Chaos Experiments (microsoft.chaos/experiments). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | d98f63ed-e319-4dc3-898f-600953a05f7e | Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Managed Grafana (microsoft.dashboard/grafana). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | edf35972-ed56-4c2f-a4a1-65f0471ba702 | Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 9dbcaaa7-0c1b-4861-81c2-d340661b4382 | Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SCOPE pools (microsoft.synapse/workspaces/scopepools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 818719e5-1338-4776-9a9d-3c31e4df5986 | Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | adeec880-527c-4def-a2bf-3053be70eef8 | Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.managednetworkfabric/networkdevices. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 00ec9865-beb6-4cfd-82ed-bd8f50756acd | Enable logging by category group for microsoft.network/p2svpngateways to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0fcf2d91-8951-43be-9505-ab43dee2f580 | Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 93319447-e347-406b-953f-618c3b599554 | Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for ExpressRoute circuits (microsoft.network/expressroutecircuits). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3893777a-aaf0-4b74-b08a-14ca9e5a9608 | Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container Apps Environments (microsoft.app/managedenvironments). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | aade2723-e7f6-46fd-b1dc-e6c2c7f7edc4 | Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 14681907-c749-4d60-8eae-1038537fb8a3 | Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | dc1b5908-da05-4eed-a988-c5e32fdb682d | Enable logging by category group for microsoft.network/dnsresolverpolicies to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/dnsresolverpolicies. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0da6faeb-d6c6-4f6e-9f49-06277493270b | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 2d8b0f41-9850-4bac-b63b-96a882a0e683 | Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Connected Cache Resources (microsoft.connectedcache/ispcustomers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5e23caa9-3cea-4f5b-a181-ba6a3bdb91ef | Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure API for FHIR (microsoft.healthcareapis/services). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 39741c6f-5e8b-4511-bba4-6662d0e0e2ac | Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 12000b3e-e38b-4bef-9098-38785f06ea32 | Enable logging by category group for microsoft.machinelearningservices/registries to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.machinelearningservices/registries. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 68ba9fc9-71b9-4e6f-9cf5-ecc07722324c | Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 58cb2d8e-623c-4557-bb4e-0b64cb41ec55 | Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Service Environments (microsoft.web/hostingenvironments). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0e861bb0-d926-4cdb-b2d6-d59336b8f5b3 | Enable logging by category group for microsoft.networkanalytics/dataproducts to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkanalytics/dataproducts. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 792f8b74-dc05-44fd-b90d-340a097b80e6 | Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3496f6fd-57ba-485c-8a14-183c4493b781 | Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3ec48f10-33fc-40d2-aaf2-028c4f7bbd02 | Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MySQL servers (microsoft.dbformysql/servers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e2526c67-0363-4da9-96f8-a95d746cf60b | Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Playwright Testing (microsoft.azureplaywrightservice/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a8de4d0a-d637-4684-b70e-6df73b74d117 | Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 4ce6d386-fc8e-4ac4-9bff-e5859625cea4 | Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Endpoints (microsoft.cdn/profiles/endpoints). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 867c08d5-bc47-404d-9a1b-0aec7a8d34eb | Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Workspaces (microsoft.desktopvirtualization/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f62b9eab-b489-4388-9874-b0a62ca31327 | Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 50cebe4c-8021-4f07-bcb2-6c80622444a9 | Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ffe49e3d-50dd-4137-8fe5-6877c4384b69 | Enable logging by category group for microsoft.workloads/sapvirtualinstances to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.workloads/sapvirtualinstances. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3c25d50c-bd5a-4f98-a0de-2495e000cfa7 | Enable logging by category group for microsoft.openenergyplatform/energyservices to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.openenergyplatform/energyservices. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b | Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0eb11858-8d9f-4525-b9ab-cc5eab07d27a | Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed CCF Apps (microsoft.confidentialledger/managedccfs). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 9df7e623-1f7c-47fa-9db6-777c9a3f2636 | Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.autonomousdevelopmentplatform/workspaces. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 6308bf75-8340-4bab-b2ec-2f5000697af4 | Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.classicnetwork/networksecuritygroups. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 257954d9-4adf-410b-9751-3bb22fe9c180 | Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure AD Domain Services (microsoft.aad/domainservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 56ae9f08-b8c9-4a0f-8f58-5dbcd63bef84 | Enable logging by category group for Relays (microsoft.relay/namespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Relays (microsoft.relay/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5798b390-1b02-47b7-88fb-90adf07e8d1b | Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 8d0e693f-1b54-41d1-880e-199c3caed23f | Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual networks (microsoft.network/virtualnetworks). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 17f18067-406f-49b2-84ce-d1eb66c3fc75 | Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Live events (microsoft.media/mediaservices/liveevents). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 4b05de63-3ad2-4f6d-b421-da21f1328f3b | Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e6acdfc4-25e3-4b36-9b0c-5c5743edd1b7 | Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Workspaces (microsoft.desktopvirtualization/workspaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a819f227-229d-44cb-8ad6-25becdb4451f | Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Data Explorer Clusters (microsoft.kusto/clusters). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 480ee186-7504-48ac-b64e-af38673aa2c6 | Enable logging by category group for Search services (microsoft.search/searchservices) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Search services (microsoft.search/searchservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 39078c44-b8d4-4c7d-8579-7f021d326ebf | Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Chaos Experiments (microsoft.chaos/experiments). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0ebe872d-7029-4292-88bc-ad3e2cf3772f | Enable logging by category group for microsoft.network/networksecurityperimeters to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networksecurityperimeters. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e99ab54f-260e-4925-a70f-8fe0a92443ef | Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Storage movers (microsoft.storagemover/storagemovers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 059e6dd0-544a-4c93-abad-b3ad77667339 | Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Host pools (microsoft.desktopvirtualization/hostpools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5d7409c0-fb8e-4052-9969-ef09f12fd166 | Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Live events (microsoft.media/mediaservices/liveevents). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 08240c20-e48f-47d9-9305-2a8c4da75a3e | Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Storage movers (microsoft.storagemover/storagemovers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 30499756-47d6-493c-9e57-ee3db2d9fa96 | Enable logging by category group for microsoft.insights/autoscalesettings to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.insights/autoscalesettings. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 3227dfd8-3536-4336-94c9-78633be6baa2 | Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Analysis Services (microsoft.analysisservices/servers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5edd2580-3272-4509-b121-57054b4c70c4 | Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 82333640-495e-4249-92bb-2a5e2d07b964 | Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Network Managers (microsoft.network/networkmanagers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | bd0079c6-6f2d-42f4-9cee-e23930968f10 | Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/flexibleservers. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | d4d93413-9560-4252-a16d-b8c3bbaf5baf | Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Lake Analytics (microsoft.datalakeanalytics/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 9756f174-ca74-4d7a-a56e-7104d8a954b0 | Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Communication Services (microsoft.communication/communicationservices). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0628b917-d4b4-4af5-bc2b-b4f87cd173ab | Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | ba0ba89c-1137-407f-ae7a-19152ea7ae82 | Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Load balancers (microsoft.network/loadbalancers). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 60ad0a9f-f760-45ff-ab94-4c64d7439f18 | Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container instances (microsoft.containerinstance/containergroups). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | b79bf56e-c296-4829-afea-6ac9263e7687 | Enable logging by category group for microsoft.network/dnsresolverpolicies to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/dnsresolverpolicies. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 958060c2-8d8e-478e-b3ec-d3d2249b461c | Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | f018b68f-d953-4238-81a3-94a0f39507e3 | Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SCOPE pools (microsoft.synapse/workspaces/scopepools). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 54c7cff6-a032-43e1-9656-d4c24665f805 | Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.notificationhubs/namespaces/notificationhubs. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | a511ca63-0a10-46e3-960b-bb6431e9e1a3 | Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.managednetworkfabric/networkdevices. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 167dbbbc-a03a-4ebe-8e46-c34cc67f7d9d | Enable logging by category group for microsoft.d365customerinsights/instances to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.d365customerinsights/instances. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 84d8a69f-788a-4025-ba96-f36406cc9ee5 | Enable logging by category group for microsoft.machinelearningservices/registries to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.machinelearningservices/registries. | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 11638078-a29c-4cf3-ad7f-775f78327425 | Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application gateways (microsoft.network/applicationgateways). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 144aa510-91a0-4de9-9800-43a7ef5e947f | Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data factories (V2) (microsoft.datafactory/factories). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | bf6af3d2-fbd5-458f-8a40-2556cf539b45 | Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 2137dd9f-94ac-413f-93a8-d068966308c9 | Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Data Explorer Clusters (microsoft.kusto/clusters). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 1840aef8-71df-4a30-a108-efdb4f291a7f | Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Integration accounts (microsoft.logic/integrationaccounts). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | e76ef589-c7d6-42cf-a61a-13471f6f50cd | Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Caches (microsoft.cache/redisenterprise/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 0120ef84-66e7-4faf-aad8-14c36389697e | Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Network security groups (microsoft.network/networksecuritygroups). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 46b2dd5d-3936-4347-8908-b298ea4466d3 | Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 5fcf46f9-194c-47ff-8889-380f57ae4617 | Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewalls (microsoft.network/azurefirewalls). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Monitoring | 99b3bfad-aef0-476d-ae98-40861f8eae22 | Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application groups (microsoft.desktopvirtualization/applicationgroups). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
add |
new Policy | 2024-04-29 17:47:10 | BuiltIn |
Security Center | 09963c90-6ee7-4215-8d26-1cc660a1682f | Create and assign a built-in user-assigned managed identity | Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.4.0 > 1.5.0) | 2024-04-22 16:32:55 | BuiltIn |
Security Center | 04754ef9-9ae3-4477-bf17-86ef50026304 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.4.0 > 1.5.0) | 2024-04-22 16:32:55 | BuiltIn |
Security Center | 242300d6-1bfc-4d64-8d01-cee583709ebd | Configure the Microsoft Defender for SQL Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.2.0 > 1.3.0) | 2024-04-22 16:32:55 | BuiltIn |
Managed Identity | d367bd60-64ca-4364-98ea-276775bddd94 | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview) | 2024-04-22 16:32:55 | BuiltIn |
Managed Identity | 516187d4-ef64-4a1b-ad6b-a7348502976c | [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets | Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. | Default DeployIfNotExists Allowed AuditIfNotExists, DeployIfNotExists, Disabled |
count: 002 •Contributor •User Access Administrator |
change |
Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview) | 2024-04-22 16:32:55 | BuiltIn |
Communication | bcff6755-335b-484d-b435-d1161db39cdc | Communication service resource should use a managed identity | Assigning a managed identity to your Communication service resource helps ensure secure authentication. This identity is used by this Communication service resource to communicate with other Azure services, like Azure Storage, in a secure way without you having to manage any credentials. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-04-22 16:32:55 | BuiltIn | |
Security Center | 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.4.0 > 1.5.0) | 2024-04-22 16:32:55 | BuiltIn |
Kubernetes | 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf | [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. | Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-04-22 16:32:55 | BuiltIn | |
Security Center | da0fd392-9669-4ad4-b32c-ca46aaa6c21f | Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.3.0 > 1.4.0) | 2024-04-22 16:32:55 | BuiltIn |
Communication | 93c45b74-42a1-4967-b25d-82c4dc630921 | Communication service resource should use allow listed data location | Create a Communication service resource only from an allow listed data location. This data location determines where the data of the communication service resource will be stored at rest, ensuring your preferred allow listed data locations as this cannot be changed after resource creation. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-04-22 16:32:55 | BuiltIn | |
Kubernetes | 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 | [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. | Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-04-22 16:32:55 | BuiltIn | |
Security Center | c859b78a-a128-4376-a838-e97ce6625d16 | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace | Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Minor (1.4.0 > 1.5.0) | 2024-04-22 16:32:55 | BuiltIn |
Security Center | 3d5ed4c2-5e50-4c76-932b-8982691b68ae | Configure Advanced Threat Protection to be enabled on Azure database for MySQL flexible servers | Enable Advanced Threat Protection on your Azure database for MySQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
add |
new Policy | 2024-04-12 17:45:57 | BuiltIn |
Security Center | cfdc5972-75b3-4418-8ae1-7f5c36839390 | Configure Microsoft Defender for Storage to be enabled | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Owner |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-12 17:45:57 | BuiltIn |
Guest Configuration | 3dc5edcd-002d-444c-b216-e123bbfa37c0 | Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, old suffix: preview (1.1.0-preview > 1.1.1) | 2024-04-12 17:45:57 | BuiltIn | |
Kubernetes | 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 | [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. | Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-04-12 17:45:57 | BuiltIn | |
Monitoring | 59c3d93f-900b-4827-a8bd-562e7b956e7c | Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.5.0 > 3.6.0) | 2024-04-12 17:45:57 | BuiltIn |
Monitoring | 1afdc4b6-581a-45fb-b630-f1e6051e3e7a | Linux virtual machines should have Azure Monitor Agent installed | Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-04-12 17:45:57 | BuiltIn | |
Kubernetes | 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf | [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. | Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-04-12 17:45:57 | BuiltIn | |
Kubernetes | e16d171b-bfe5-4d79-a525-19736b396e92 | [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. | To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-04-12 17:45:57 | BuiltIn | |
Monitoring | 845857af-0333-4c5d-bbbc-6076697da122 | Configure Linux Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.3.0 > 2.4.0) | 2024-04-12 17:45:57 | BuiltIn |
Guest Configuration | ca88aadc-6e2b-416c-9de2-5a0f01d1693f | Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. | Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Patch, old suffix: preview (1.2.0-preview > 1.2.1) | 2024-04-12 17:45:57 | BuiltIn | |
Kubernetes | d77f191e-2338-45d0-b6d4-4ee1c586a192 | [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources | Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-04-12 17:45:57 | BuiltIn | |
Kubernetes | 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 | [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. | Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-04-12 17:45:57 | BuiltIn | |
Azure Ai Services | 55eff01b-f2bd-4c32-9203-db285f709d30 | Configure Azure AI Services resources to disable local key access (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Cognitive Services Contributor •Cognitive Services OpenAI Contributor |
add |
new Policy | 2024-04-12 17:45:57 | BuiltIn |
Monitoring | 32ade945-311e-4249-b8a4-a549924234d7 | Linux virtual machine scale sets should have Azure Monitor Agent installed | Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-04-12 17:45:57 | BuiltIn | |
Monitoring | f17d891d-ff20-46f2-bad3-9e0a5403a4d3 | Linux Arc-enabled machines should have Azure Monitor Agent installed | Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-12 17:45:57 | BuiltIn | |
Monitoring | a4034bc6-ae50-406d-bf76-50f4ee5a7811 | Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.4.0 > 3.5.0) | 2024-04-12 17:45:57 | BuiltIn |
Kubernetes | 8e875f96-2c56-40ca-86db-b9f6a0be7347 | [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. | Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem | Default Mutate Allowed Mutate, Disabled |
change |
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) | 2024-04-12 17:45:57 | BuiltIn | |
Monitoring | ae8a10e6-19d6-44a3-a02d-a2bdfc707742 | Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.5.0 > 3.6.0) | 2024-04-12 17:45:57 | BuiltIn |
Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.4.0 > 4.5.0) | 2024-04-12 17:45:57 | BuiltIn |
Azure Ai Services | d45520cb-31ca-44ba-8da2-fcf914608544 | Configure Azure AI Services resources to disable local key access (disable local authentication) | Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 003 •Cognitive Services Contributor •Cognitive Services OpenAI Contributor •Search Service Contributor |
add |
new Policy | 2024-04-12 17:45:57 | BuiltIn |
Monitoring | 56a3e4f8-649b-4fac-887e-5564d11e8d3a | Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.4.0 > 3.5.0) | 2024-04-12 17:45:57 | BuiltIn |
Kubernetes | e16d171b-bfe5-4d79-a525-19736b396e92 | [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. | To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
Kubernetes | 8e875f96-2c56-40ca-86db-b9f6a0be7347 | [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. | Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
Monitoring | 6567d3f3-42d0-4cfb-9606-9741ba60fa07 | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn |
Kubernetes | 1a3b9003-eac6-4d39-a184-4a567ace7645 | [Preview]: Kubernetes cluster container images must include the preStop hook | Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
Monitoring | 9e6aee71-3781-4acd-bba7-aac4fb067dfa | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-08 17:52:20 | BuiltIn |
Monitoring | fc602c00-2ce3-4556-b615-fa4159517103 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-08 17:52:20 | BuiltIn |
Monitoring | 39aa567d-69c2-4cc0-aaa9-76c6d4006b14 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn |
Monitoring | 1513498c-3091-461a-b321-e9b433218d28 | Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn |
Kubernetes | 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf | [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. | Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
Monitoring | 480851ae-9ff3-49d1-904c-b5bd6f83f1ec | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 002 •Azure Event Hubs Data Owner •Log Analytics Contributor |
change |
Minor (1.1.0 > 1.2.0) | 2024-04-08 17:52:20 | BuiltIn |
Cognitive Services | 0725b4dd-7e76-479c-a735-68e7ee23d5ca | [Deprecated]: Cognitive Services accounts should disable public network access | To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. | Default Disabled Allowed Audit, Deny, Disabled |
change |
Minor, new suffix: deprecated (3.0.1 > 3.1.0-deprecated) | 2024-04-08 17:52:20 | BuiltIn | |
Security Center | 0b15565f-aa9e-48ba-8619-45960f2c314d | Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (2.0.0 > 2.1.0) | 2024-04-08 17:52:20 | BuiltIn | |
Monitoring | 8656d368-0643-4374-a63f-ae0ed4da1d9a | Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn |
Monitoring | 441af8bf-7c88-4efc-bd24-b7be28d4acce | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn |
Monitoring | e20f31d7-6b6d-4644-962a-ae513a85ab0b | Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). | Default DeployIfNotExists Allowed DeployIfNotExists, AuditIfNotExists, Disabled |
count: 001 •Log Analytics Contributor |
change |
Minor (1.0.0 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn |
Security Center | 6e2593d9-add6-4083-9c9b-4b7d2188c899 | Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.0.1 > 1.1.0) | 2024-04-08 17:52:20 | BuiltIn | |
Kubernetes | 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 | [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. | Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
Kubernetes | 021f8078-41a0-40e6-81b6-c6597da9f3ee | [Preview]: Kubernetes cluster container images should not include latest image tag | Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
Kubernetes | 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 | [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. | Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
Kubernetes | d77f191e-2338-45d0-b6d4-4ee1c586a192 | [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources | Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption | Default Mutate Allowed Mutate, Disabled |
add |
new Policy | 2024-04-08 17:52:20 | BuiltIn | |
Network | 052c180e-287d-44c3-86ef-01aeae2d9774 | Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics | If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Contributor |
change |
Patch (1.1.1 > 1.1.2) | 2024-03-29 18:59:24 | BuiltIn |
Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (6.2.0 > 6.3.0) | 2024-03-29 18:59:24 | BuiltIn |
Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.3.0 > 4.4.0) | 2024-03-29 18:59:24 | BuiltIn |
Monitoring | 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 | Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.1.0 > 4.2.0) | 2024-03-25 19:17:21 | BuiltIn |
Monitoring | d5c37ce1-5f52-4523-b949-f19bf945b73a | Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (2.1.0 > 2.2.0) | 2024-03-25 19:17:21 | BuiltIn |
Monitoring | 94f686d6-9a24-4e19-91f1-de937dc171a4 | Configure Windows Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Azure Connected Machine Resource Administrator |
change |
Minor (2.3.0 > 2.4.0) | 2024-03-25 19:17:21 | BuiltIn |
Monitoring | ca817e41-e85a-4783-bc7f-dc532d36235e | Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (4.3.0 > 4.4.0) | 2024-03-25 19:17:21 | BuiltIn |
Monitoring | ec621e21-8b48-403d-a549-fc9023d4747f | Windows Arc-enabled machines should have Azure Monitor Agent installed | Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (1.1.0 > 1.2.0) | 2024-03-25 19:17:21 | BuiltIn | |
Monitoring | eab1f514-22e3-42e3-9a1f-e1dc9199355c | Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.2.0 > 4.3.0) | 2024-03-25 19:17:21 | BuiltIn |
Monitoring | 244efd75-0d92-453c-b9a3-7d73ca36ed52 | Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2024-03-25 19:17:21 | BuiltIn |
Monitoring | 2ea82cdd-f2e8-4500-af75-67a2e084ca74 | Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (6.1.0 > 6.2.0) | 2024-03-25 19:17:21 | BuiltIn |
Monitoring | c02729e5-e5e7-4458-97fa-2b5ad0661f28 | Windows virtual machines should have Azure Monitor Agent installed | Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-03-25 19:17:21 | BuiltIn | |
DevCenter | ece3c79b-2caf-470d-a5f5-66470c4fc649 | [Preview]: Microsoft Dev Box Pools should not use Microsoft Hosted Networks. | Disallows the use of Microsoft Hosted Networks when creating Pool resources. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-03-25 19:17:21 | BuiltIn | |
Monitoring | 050a90d5-7cce-483f-8f6c-0df462036dda | Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (4.1.0 > 4.2.0) | 2024-03-25 19:17:21 | BuiltIn |
Monitoring | 3672e6f7-a74d-4763-b138-fcf332042f8f | Windows virtual machine scale sets should have Azure Monitor Agent installed | Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
change |
Minor (3.1.0 > 3.2.0) | 2024-03-25 19:17:21 | BuiltIn | |
Monitoring | 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff | Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 001 •Virtual Machine Contributor |
change |
Minor (3.3.0 > 3.4.0) | 2024-03-25 19:17:21 | BuiltIn |
Backup | d6588149-9f06-462c-a076-56aece45b5ba | [Preview]: Azure Backup Vaults should use customer-managed keys for encrypting backup data. Also an option to enforce Infra Encryption. | This policy follows the 'effect' if Encryption Settings are enabled for Backup vaults in the scope. Additionally, option to check if Backup Vault also has Infrastructure Encryption enabled. Learn more at https://aka.ms/az-backup-vault-encryption-at-rest-with-cmk. Please note that when 'Deny' effect is used, it would need you to enable Encryption Settings on the existing Backup Vaults in order to allow other update operations on the vault go through. | Default Audit Allowed Audit, Deny, Disabled |
add |
new Policy | 2024-03-25 19:17:21 | BuiltIn | |
Monitoring | c24c537f-2516-4c2f-aac5-2cd26baa3d26 | Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (2.1.0 > 2.2.0) | 2024-03-25 19:17:21 | BuiltIn |
Monitoring | 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 | Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Log Analytics Contributor •Monitoring Contributor |
change |
Minor (3.2.0 > 3.3.0) | 2024-03-25 19:17:21 | BuiltIn |
Security Center | 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 | [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) | As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (1.0.3 > 1.1.0-deprecated) | 2024-03-15 22:15:34 | BuiltIn | |
Security Center | 5f0f936f-2f01-4bf5-b6be-d423792fa562 | [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) | As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. | Default Disabled Allowed AuditIfNotExists, Disabled |
change |
Minor, new suffix: deprecated (2.0.2 > 2.1.0-deprecated) | 2024-03-15 22:15:34 | BuiltIn | |
Kubernetes | 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 | [Preview]: Must Have Anti Affinity Rules Set | This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-03-15 22:15:34 | BuiltIn | |
BuiltInPolicyTest | f8d398ae-0441-4921-a341-40f3973d4647 | [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn | This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. | Default Disabled Allowed Deny, Disabled |
change |
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) | 2024-03-15 22:15:34 | BuiltIn | |
Kubernetes | 36a27de4-199b-40fb-b336-945a8475d6c5 | Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Minor (2.0.4 > 2.1.0) | 2024-03-15 22:15:34 | BuiltIn |
Kubernetes | b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 | [Preview]: Kubernetes cluster services should use unique selectors | Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-03-15 22:15:34 | BuiltIn | |
BuiltInPolicyTest | 85793e88-5a58-4555-93fa-4df63c86ae9c | [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. | Only deploy Registry Models in the allowed Registry and that are not restricted. | Default Disabled Allowed Deny, Disabled |
change |
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) | 2024-03-15 22:15:34 | BuiltIn | |
General | 78460a36-508a-49a4-b2b2-2f5ec564f4bb | Do not allow deletion of resource types | This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. | Default DenyAction Allowed DenyAction, Disabled |
change |
Patch, old suffix: preview (1.0.0-preview > 1.0.1) | 2024-03-15 22:15:34 | BuiltIn | |
BuiltInPolicyTest | 83a0809a-a4e3-4ef2-8a24-2afc156607af | [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. | This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels | Default Disabled Allowed Audit, Deny, Disabled |
change |
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) | 2024-03-15 22:15:34 | BuiltIn | |
Kubernetes | 53a4a537-990c-495a-92e0-7c21a465442c | [Preview]: Cannot Edit Individual Nodes | Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-03-15 22:15:34 | BuiltIn | |
Kubernetes | d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d | [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets | Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-03-15 22:15:34 | BuiltIn | |
Kubernetes | a22123bd-b9da-4c86-9424-24903e91fd55 | [Preview]: No AKS Specific Labels | Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-03-15 22:15:34 | BuiltIn | |
Kubernetes | 48940d92-ff05-449e-9111-e742d9280451 | [Preview]: Reserved System Pool Taints | Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. | Default Audit Allowed Audit, Deny, Disabled |
change |
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) | 2024-03-15 22:15:34 | BuiltIn | |
Trusted Launch | c95b54ad-0614-4633-ab29-104b01235cbf | Virtual Machine should have TrustedLaunch enabled | Enable TrustedLaunch on Virtual Machine for enhanced security, use VM SKU (Gen 2) that supports TrustedLaunch. To learn more about TrustedLaunch, visit https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-03-11 18:31:50 | BuiltIn | |
Azure Update Manager | bd876905-5b84-4f73-ab2d-2e7a7c4568d9 | Machines should be configured to periodically check for missing system updates | To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (3.6.0 > 3.7.0) | 2024-03-11 18:31:50 | BuiltIn | |
Cache | 766f5de3-c6c0-4327-9f4d-042ab8ae846c | Configure Azure Cache for Redis to disable non SSL ports | Enable SSL only connections to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Default Modify Allowed Modify, Disabled |
count: 001 •Redis Cache Contributor |
add |
new Policy | 2024-03-11 18:31:50 | BuiltIn |
Azure Ai Services | 1b4d1c4e-934c-4703-944c-27c82c06bebb | Diagnostic logs in Azure AI services resources should be enabled | Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised | Default AuditIfNotExists Allowed AuditIfNotExists, Disabled |
add |
new Policy | 2024-03-11 18:31:50 | BuiltIn | |
Azure Update Manager | 59efceea-0c96-497e-a4a1-4eb2290dac15 | Configure periodic checking for missing system updates on azure virtual machines | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. | Fixed modify |
count: 001 •Contributor |
change |
Minor (4.7.0 > 4.8.0) | 2024-03-11 18:31:50 | BuiltIn |
Machine Learning | e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f | Azure Machine Learning Computes should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Audit Allowed Audit, Deny, Disabled |
change |
Minor (2.0.1 > 2.1.0) | 2024-03-11 18:31:50 | BuiltIn | |
Kubernetes | a8eff44f-8c92-45c3-a3fb-9880802d67a7 | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | Default DeployIfNotExists Allowed DeployIfNotExists, Disabled |
count: 002 •Azure Kubernetes Service Contributor Role •Azure Kubernetes Service Policy Add-on Deployment |
change |
Minor (4.0.1 > 4.1.0) | 2024-03-11 18:31:50 | BuiltIn |
Trusted Launch | b03bb370-5249-4ea4-9fce-2552e87e45fa | Disks and OS image should support TrustedLaunch | TrustedLaunch improves security of a Virtual Machine which requires OS Disk & OS Image to support it (Gen 2). To learn more about TrustedLaunch, visit https://aka.ms/trustedlaunch | Default Audit Allowed Audit, Disabled |
add |
new Policy | 2024-03-11 18:31:50 | BuiltIn | |
Machine Learning | a6f9a2d0-cff7-4855-83ad-4cd750666512 | Configure Azure Machine Learning Computes to disable local authentication methods | Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. | Default Modify Allowed Modify, Disabled |
count: 001 • |