| Json |
{
"properties": {
"displayName": "Enable Monitoring in Azure Security Center",
"policyType": "BuiltIn",
"description": "Monitor all the available security recommendations in Azure Security Center. This is the default policy for Azure Security Center.",
"metadata": {
"version": "19.0.1",
"category": "Security Center"
},
"parameters": {
"useServicePrincipalToProtectSubscriptionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Service principals should be used to protect your subscriptions instead of management certificates",
"description": "Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"updateOsVersionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Operating system version should be the most current version for your cloud service roles",
"description": "Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"resolveLogAnalyticsHealthIssuesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Log Analytics agent health issues should be resolved on your machines",
"description": "Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"installLogAnalyticsAgentOnVmMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring",
"description": "This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"installLogAnalyticsAgentOnVmssMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring",
"description": "Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"certificatesValidityPeriodMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Manage certificate validity period",
"description": "Enable or disable manage certificate validity period."
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "disabled"
},
"certificatesValidityPeriodInMonths": {
"type": "Integer",
"metadata": {
"displayName": "The maximum validity period in months of managed certificate",
"description": "The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren't best practice."
},
"defaultValue": 12
},
"azurePolicyforWindowsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Guest Configuration extension should be installed on Windows virtual machines",
"description": "Enable or disable virtual machines reporting that the Guest Configuration extension for Windows should be installed"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"windowsDefenderExploitGuardMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Windows Defender Exploit Guard should be enabled on your Windows virtual machines",
"description": "Enable or disable virtual machines reporting that Windows Defender Exploit Guard is enabled"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"vmssSystemUpdatesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "System updates on virtual machine scale sets should be installed",
"description": "Enable or disable virtual machine scale sets reporting of system updates"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"vmssEndpointProtectionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Endpoint protection solution should be installed on virtual machine scale sets",
"description": "Enable or disable virtual machine scale sets endpoint protection monitoring"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"vmssOsVulnerabilitiesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
"description": "Enable or disable virtual machine scale sets OS vulnerabilities monitoring"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"systemUpdatesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "System updates should be installed on your machines",
"description": "Enable or disable reporting of system updates"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"systemConfigurationsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Vulnerabilities in security configuration on your machines should be remediated",
"description": "Enable or disable OS vulnerabilities monitoring (based on a configured baseline)"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"endpointProtectionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor missing Endpoint Protection in Azure Security Center",
"description": "Enable or disable endpoint protection monitoring"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diskEncryptionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Disk encryption should be applied on virtual machines",
"description": "Enable or disable the monitoring for VM disk encryption"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"networkSecurityGroupsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor network security groups",
"description": "Enable or disable monitoring of network security groups with permissive rules",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"networkSecurityGroupsOnSubnetsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Network Security Groups on the subnet level should be enabled",
"description": "Enable or disable monitoring of NSGs on subnets"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"networkSecurityGroupsOnVirtualMachinesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Internet-facing virtual machines should be protected with network security groups",
"description": "Enable or disable monitoring of NSGs on VMs"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"networkSecurityGroupsOnInternalVirtualMachinesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Non-internet-facing virtual machines should be protected with network security groups",
"description": "Enable or disable monitoring of NSGs on VMs"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"webApplicationFirewallMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Web ports should be restricted on Network Security Groups associated to your VM",
"description": "Enable or disable the monitoring of unprotected web applications",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"nextGenerationFirewallMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "All network ports should be restricted on network security groups associated to your virtual machine",
"description": "Enable or disable overly permissive inbound NSG rules monitoring."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"vulnerabilityAssesmentMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Vulnerabilities should be remediated by a Vulnerability Assessment solution",
"description": "Enable or disable the detection of VM vulnerabilities by a vulnerability assessment solution"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"serverVulnerabilityAssessmentEffect": {
"type": "String",
"metadata": {
"displayName": "A vulnerability assessment solution should be enabled on your virtual machines",
"description": "Enable or disable the detection of virtual machine vulnerabilities by Azure Security Center vulnerability assessment"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"storageEncryptionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Audit missing blob encryption for storage accounts",
"description": "Enable or disable the monitoring of blob encryption for storage accounts",
"deprecated": true
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Disabled"
},
"jitNetworkAccessMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Management ports of virtual machines should be protected with just-in-time network access control",
"description": "Enable or disable the monitoring of network just-in-time access"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"adaptiveApplicationControlsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Adaptive application controls for defining safe applications should be enabled on your machines",
"description": "Enable or disable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"adaptiveApplicationControlsUpdateMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Allowlist rules in your adaptive application control policy should be updated",
"description": "Enable or disable the monitoring for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlAuditingMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor unaudited SQL servers in Azure Security Center",
"description": "Enable or disable the monitoring of unaudited SQL databases",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"sqlEncryptionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor unencrypted SQL databases in Azure Security Center",
"description": "Enable or disable the monitoring of unencrypted SQL databases",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"sqlDbEncryptionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Transparent Data Encryption on SQL databases should be enabled",
"description": "Enable or disable the monitoring of unencrypted SQL databases"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlServerAuditingMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Auditing should be enabled on advanced data security settings on SQL Server",
"description": "Enable or disable the monitoring of unaudited SQL Servers"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlServerAuditingActionsAndGroupsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "SQL Auditing settings should have Action-Groups configured to capture critical activities",
"description": "Enable or disable the monitoring of auditing policy Action-Groups and Actions setting",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"SqlServerAuditingRetentionDaysMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "SQL servers should be configured with auditing retention days greater than 90 days",
"description": "Enable or disable the monitoring of SQL servers with auditing retention period less than 90",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"diagnosticsLogsInAppServiceMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor diagnostic logs in Azure App Services",
"description": "Enable or disable the monitoring of diagnostics logs in Azure App Services",
"deprecated": true
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Disabled"
},
"diagnosticsLogsInSelectiveAppServicesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Diagnostic logs in App Services should be enabled",
"description": "Enable or disable the monitoring of diagnostics logs in Azure App Services",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"encryptionOfAutomationAccountMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Automation account variables should be encrypted",
"description": "Enable or disable the monitoring of automation account encryption"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"diagnosticsLogsInBatchAccountMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Diagnostic logs in Batch accounts should be enabled",
"description": "Enable or disable the monitoring of diagnostic logs in Batch accounts"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diagnosticsLogsInBatchAccountRetentionDays": {
"type": "String",
"metadata": {
"displayName": "Required retention (in days) for logs in Batch accounts",
"description": "The required diagnostic logs retention period in days"
},
"defaultValue": "365"
},
"metricAlertsInBatchAccountMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Metric alert rules should be configured on Batch accounts",
"description": "Enable or disable the monitoring of metric alerts in Batch accounts",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"classicComputeVMsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Virtual machines should be migrated to new Azure Resource Manager resources",
"description": "Enable or disable the monitoring of classic compute VMs"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"classicStorageAccountsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Storage accounts should be migrated to new Azure Resource Manager resources",
"description": "Enable or disable the monitoring of classic storage accounts"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"diagnosticsLogsInDataLakeAnalyticsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Diagnostic logs in Data Lake Analytics should be enabled",
"description": "Enable or disable the monitoring of diagnostic logs in Data Lake Analytics accounts"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diagnosticsLogsInDataLakeAnalyticsRetentionDays": {
"type": "String",
"metadata": {
"displayName": "Required retention (in days) of logs in Data Lake Analytics accounts",
"description": "The required diagnostic logs retention period in days"
},
"defaultValue": "365"
},
"diagnosticsLogsInDataLakeStoreMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Diagnostic logs in Azure Data Lake Store should be enabled",
"description": "Enable or disable the monitoring of diagnostic logs in Data Lake Store accounts"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diagnosticsLogsInDataLakeStoreRetentionDays": {
"type": "String",
"metadata": {
"displayName": "Required retention (in days) of logs in Data Lake Store accounts",
"description": "The required diagnostic logs retention period in days"
},
"defaultValue": "365"
},
"diagnosticsLogsInEventHubMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Diagnostic logs in Event Hub should be enabled",
"description": "Enable or disable the monitoring of diagnostic logs in Event Hub accounts"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diagnosticsLogsInEventHubRetentionDays": {
"type": "String",
"metadata": {
"displayName": "Required retention (in days) of logs in Event Hub accounts",
"description": "The required diagnostic logs retention period in days"
},
"defaultValue": "365"
},
"diagnosticsLogsInKeyVaultMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Diagnostic logs in Key Vault should be enabled",
"description": "Enable or disable the monitoring of diagnostic logs in Key Vault vaults"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diagnosticsLogsInKeyVaultRetentionDays": {
"type": "String",
"metadata": {
"displayName": "Required retention (in days) of logs in Key Vault vaults",
"description": "The required diagnostic logs retention period in days"
},
"defaultValue": "365"
},
"diagnosticsLogsInLogicAppsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Diagnostic logs in Logic Apps should be enabled",
"description": "Enable or disable the monitoring of diagnostic logs in Logic Apps workflows"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diagnosticsLogsInLogicAppsRetentionDays": {
"type": "String",
"metadata": {
"displayName": "Required retention (in days) of logs in Logic Apps workflows",
"description": "The required diagnostic logs retention period in days"
},
"defaultValue": "365"
},
"diagnosticsLogsInRedisCacheMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Only secure connections to your Redis Cache should be enabled",
"description": "Enable or disable the monitoring of diagnostic logs in Azure Redis Cache"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"diagnosticsLogsInSearchServiceMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Diagnostic logs in Search services should be enabled",
"description": "Enable or disable the monitoring of diagnostic logs in Azure Search service"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diagnosticsLogsInSearchServiceRetentionDays": {
"type": "String",
"metadata": {
"displayName": "Required retention (in days) of logs in Azure Search service",
"description": "The required diagnostic logs retention period in days"
},
"defaultValue": "365"
},
"aadAuthenticationInServiceFabricMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Service Fabric clusters should only use Azure Active Directory for client authentication",
"description": "Enable or disable the monitoring of Azure Active Directory for client authentication in Service Fabric"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"clusterProtectionLevelInServiceFabricMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign",
"description": "Enable or disable the monitoring of cluster protection level in Service Fabric"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"diagnosticsLogsInServiceBusMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Diagnostic logs in Service Bus should be enabled",
"description": "Enable or disable the monitoring of diagnostic logs in Service Bus"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diagnosticsLogsInServiceBusRetentionDays": {
"type": "String",
"metadata": {
"displayName": "Required retention (in days) of logs in Service Bus",
"description": "The required diagnostic logs retention period in days"
},
"defaultValue": "365"
},
"namespaceAuthorizationRulesInServiceBusMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace",
"description": "Enable or disable the monitoring of Service Bus namespace authorization rules",
"deprecated": true
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Disabled"
},
"aadAuthenticationInSqlServerMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "An Azure Active Directory administrator should be provisioned for SQL servers",
"description": "Enable or disable the monitoring of an Azure AD admininistrator for SQL server"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"secureTransferToStorageAccountMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Secure transfer to storage accounts should be enabled",
"description": "Enable or disable the monitoring of secure transfer to storage account"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"diagnosticsLogsInStreamAnalyticsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Diagnostic logs in Azure Stream Analytics should be enabled",
"description": "Enable or disable the monitoring of diagnostic logs in Stream Analytics"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diagnosticsLogsInStreamAnalyticsRetentionDays": {
"type": "String",
"metadata": {
"displayName": "Required retention (in days) of logs in Stream Analytics",
"description": "The required diagnostic logs retention period in days"
},
"defaultValue": "365"
},
"useRbacRulesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Audit usage of custom RBAC rules",
"description": "Enable or disable the monitoring of using built-in RBAC rules"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"disableUnrestrictedNetworkToStorageAccountMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Audit unrestricted network access to storage accounts",
"description": "Enable or disable the monitoring of network access to storage account"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Disabled"
},
"diagnosticsLogsInServiceFabricMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Diagnostic logs in Virtual Machine Scale Sets should be enabled",
"description": "Enable or disable the monitoring of diagnostic logs in Service Fabric"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"accessRulesInEventHubNamespaceMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace",
"description": "Enable or disable the monitoring of access rules in Event Hub namespaces",
"deprecated": true
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Disabled"
},
"accessRulesInEventHubMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Authorization rules on the Event Hub instance should be defined",
"description": "Enable or disable the monitoring of access rules in Event Hubs",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"sqlDbVulnerabilityAssesmentMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Vulnerabilities on your SQL databases should be remediated",
"description": "Enable or disable the monitoring of Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlDbDataClassificationMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Sensitive data in your SQL databases should be classified",
"description": "Enable or disable the monitoring of sensitive data classification in databases."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityDesignateLessThanOwnersMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "A maximum of 3 owners should be designated for your subscription",
"description": "Enable or disable the monitoring of maximum owners in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityDesignateMoreThanOneOwnerMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "There should be more than one owner assigned to your subscription",
"description": "Enable or disable the monitoring of minimum owners in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityEnableMFAForOwnerPermissionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
"description": "Enable or disable the monitoring of MFA for accounts with owner permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityEnableMFAForWritePermissionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "MFA should be enabled accounts with write permissions on your subscription",
"description": "Enable or disable the monitoring of MFA for accounts with write permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityEnableMFAForReadPermissionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "MFA should be enabled on accounts with read permissions on your subscription",
"description": "Enable or disable the monitoring of MFA for accounts with read permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Deprecated accounts with owner permissions should be removed from your subscription",
"description": "Enable or disable the monitoring of deprecated acounts with owner permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityRemoveDeprecatedAccountMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Deprecated accounts should be removed from your subscription",
"description": "Enable or disable the monitoring of deprecated acounts in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "External accounts with owner permissions should be removed from your subscription",
"description": "Enable or disable the monitoring of external acounts with owner permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "External accounts with write permissions should be removed from your subscription",
"description": "Enable or disable the monitoring of external acounts with write permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "External accounts with read permissions should be removed from your subscription",
"description": "Enable or disable the monitoring of external acounts with read permissions in subscription"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"apiAppConfigureIPRestrictionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor Configure IP restrictions for API App",
"description": "Enable or disable the monitoring of IP restrictions for API App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"functionAppConfigureIPRestrictionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor Configure IP restrictions for Function App",
"description": "Enable or disable the monitoring of IP restrictions for Function App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"webAppConfigureIPRestrictionsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor Configure IP restrictions for Web App",
"description": "Enable or disable the monitoring of IP restrictions for Web App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"apiAppDisableRemoteDebuggingMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Remote debugging should be turned off for API App",
"description": "Enable or disable the monitoring of remote debugging for API App"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"functionAppDisableRemoteDebuggingMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Remote debugging should be turned off for Function App",
"description": "Enable or disable the monitoring of remote debugging for Function App"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"webAppDisableRemoteDebuggingMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Remote debugging should be turned off for Web Application",
"description": "Enable or disable the monitoring of remote debugging for Web App"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"apiAppAuditFtpsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "FTPS should be required in your API App",
"description": "Enable FTPS enforcement for enhanced security",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"functionAppAuditFtpsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "FTPS should be required in your Function App",
"description": "Enable FTPS enforcement for enhanced security",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"webAppAuditFtpsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "FTPS should be required in your Web App",
"description": "Enable FTPS enforcement for enhanced security",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"apiAppUseManagedIdentityMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "A managed identity should be used in your API App",
"description": "Use a managed identity for enhanced authentication security",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"functionAppUseManagedIdentityMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "A managed identity should be used in your Function App",
"description": "Use a managed identity for enhanced authentication security",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"webAppUseManagedIdentityMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "A managed identity should be used in your Web App",
"description": "Use a managed identity for enhanced authentication security",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"apiAppRequireLatestTlsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Latest TLS version should be used in your API App",
"description": "Upgrade to the latest TLS version",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"functionAppRequireLatestTlsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Latest TLS version should be used in your Function App",
"description": "Upgrade to the latest TLS version",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"webAppRequireLatestTlsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Latest TLS version should be used in your Web App",
"description": "Upgrade to the latest TLS version",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"apiAppDisableWebSocketsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor disable web sockets for API App",
"description": "Enable or disable the monitoring of web sockets for API App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"functionAppDisableWebSocketsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor disable web sockets for Function App",
"description": "Enable or disable the monitoring of web sockets for Function App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"webAppDisableWebSocketsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor disable web sockets for Web App",
"description": "Enable or disable the monitoring of web sockets for Web App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"apiAppEnforceHttpsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "API App should only be accessible over HTTPS",
"description": "Enable or disable the monitoring of the use of HTTPS in API App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"functionAppEnforceHttpsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Function App should only be accessible over HTTPS",
"description": "Enable or disable the monitoring of the use of HTTPS in function App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"webAppEnforceHttpsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Web Application should only be accessible over HTTPS",
"description": "Enable or disable the monitoring of the use of HTTPS in Web App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"apiAppEnforceHttpsMonitoringEffectV2": {
"type": "String",
"metadata": {
"displayName": "API App should only be accessible over HTTPS V2",
"description": "Enable or disable the monitoring of the use of HTTPS in API App V2"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"functionAppEnforceHttpsMonitoringEffectV2": {
"type": "String",
"metadata": {
"displayName": "Function App should only be accessible over HTTPS V2",
"description": "Enable or disable the monitoring of the use of HTTPS in function App V2"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"webAppEnforceHttpsMonitoringEffectV2": {
"type": "String",
"metadata": {
"displayName": "Web Application should only be accessible over HTTPS V2",
"description": "Enable or disable the monitoring of the use of HTTPS in Web App V2"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"apiAppRestrictCORSAccessMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "CORS should not allow every resource to access your API App",
"description": "Enable or disable the monitoring of CORS restrictions for API App"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"functionAppRestrictCORSAccessMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "CORS should not allow every resource to access your Function App",
"description": "Enable or disable the monitoring of CORS restrictions for API Function"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"webAppRestrictCORSAccessMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "CORS should not allow every resource to access your Web Application",
"description": "Enable or disable the monitoring of CORS restrictions for API Web"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"apiAppUsedCustomDomainsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor the custom domain use in API App",
"description": "Enable or disable the monitoring of custom domain use in API App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"functionAppUsedCustomDomainsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor the custom domain use in Function App",
"description": "Enable or disable the monitoring of custom domain use in Function App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"webAppUsedCustomDomainsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor the custom domain use in Web App",
"description": "Enable or disable the monitoring of custom domain use in Web App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"apiAppUsedLatestDotNetMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor use latest .NET in API App",
"description": "Enable or disable the monitoring of .NET version in API App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"webAppUsedLatestDotNetMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor use latest .NET in Web App",
"description": "Enable or disable the monitoring of .NET version in Web App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"apiAppUsedLatestJavaMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor use latest Java in API App",
"description": "Enable or disable the monitoring of Java version in API App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"webAppUsedLatestJavaMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor use latest Java in Web App",
"description": "Enable or disable the monitoring of Java version in Web App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"webAppUsedLatestNodeJsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor use latest Node.js in Web App",
"description": "Enable or disable the monitoring of Node.js version in Web App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"apiAppUsedLatestPHPMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor use latest PHP in API App",
"description": "Enable or disable the monitoring of PHP version in API App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"webAppUsedLatestPHPMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor use latest PHP in Web App",
"description": "Enable or disable the monitoring of PHP version in Web App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"apiAppUsedLatestPythonMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor use latest Python in API App",
"description": "Enable or disable the monitoring of Python version in API App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"webAppUsedLatestPythonMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Monitor use latest Python in Web App",
"description": "Enable or disable the monitoring of Python version in Web App",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"vnetEnableDDoSProtectionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Azure DDoS Protection Standard should be enabled",
"description": "Enable or disable the monitoring of DDoS protection for virtual network"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diagnosticsLogsInIoTHubMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Diagnostic logs in IoT Hub should be enabled",
"description": "Enable or disable the monitoring of diagnostic logs in IoT Hubs"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diagnosticsLogsInIoTHubRetentionDays": {
"type": "String",
"metadata": {
"displayName": "Required retention (in days) of logs in IoT Hub accounts",
"description": "The required diagnostic logs retention period in days"
},
"defaultValue": "365"
},
"sqlServerAdvancedDataSecurityMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Advanced data security should be enabled on your SQL servers",
"description": "Enable or disable the monitoring of SQL servers without Advanced Data Security"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Advanced data security should be enabled on SQL Managed Instance",
"description": "Enable or disable the monitoring of each SQL Managed Instance without advanced data security."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlServerAdvancedDataSecurityEmailsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Advanced data security settings for SQL server should contain an email address to receive security alerts",
"description": "Enable or disable the monitoring that advanced data security settings for SQL server contain at least one email address to receive security alerts",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Advanced data security settings for SQL Managed Instance should contain an email address to receive security alerts",
"description": "Enable or disable the monitoring that advanced data security settings for SQL Managed Instance contain at least one email address to receive security alerts.",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings",
"description": "Enable or disable auditing that 'email notification to admins and subscription owners' is enabled in the SQL Server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins.",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Email notifications to admins and subscription owners should be enabled in SQL Managed Instance advanced data security settings",
"description": "Enable or disable auditing that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins.",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"kubernetesServiceRbacEnabledMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Role-Based Access Control (RBAC) should be used on Kubernetes Services",
"description": "Enable or disable the monitoring of Kubernetes Services without RBAC enabled"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"kubernetesServicePspEnabledMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Pod Security Policies should be defined on Kubernetes Services",
"description": "Enable or disable the monitoring of Kubernetes Services without Pod Security Policy enabled",
"deprecated": true
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Disabled"
},
"kubernetesServiceAuthorizedIPRangesEnabledMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Authorized IP ranges should be defined on Kubernetes Services",
"description": "Enable or disable the monitoring of Kubernetes Services without Authorized IP Ranges enabled"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"kubernetesServiceVersionUpToDateMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Kubernetes Services should be upgraded to a non vulnerable Kubernetes version",
"description": "Enable or disable the monitoring of the Kubernetes Services with versions that contain known vulnerabilities"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Vulnerability assessment should be enabled on SQL Managed Instance",
"description": "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"vulnerabilityAssessmentOnServerMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Vulnerability assessment should be enabled on your SQL servers",
"description": "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"threatDetectionTypesOnManagedInstanceMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings",
"description": "It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"threatDetectionTypesOnServerMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings",
"description": "It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"adaptiveNetworkHardeningsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Adaptive Network Hardening recommendations should be applied on internet facing virtual machines",
"description": "Enable or disable the monitoring of Internet-facing virtual machines for Network Security Group traffic hardening recommendations"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"restrictAccessToManagementPortsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Management ports should be closed on your virtual machines",
"description": "Enable or disable the monitoring of open management ports on Virtual Machines"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"restrictAccessToAppServicesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Access to App Services should be restricted",
"description": "Enable or disable the monitoring of permissive network access to app-services",
"deprecated": true
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "Disabled"
},
"disableIPForwardingMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "IP Forwarding on your virtual machine should be disabled",
"description": "Enable or disable the monitoring of IP forwarding on virtual machines"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ensureServerTDEIsEncryptedWithYourOwnKeyMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "SQL server TDE protector should be encrypted with your own key",
"description": "Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "SQL Managed Instance TDE protector should be encrypted with your own key",
"description": "Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"containerBenchmarkMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Vulnerabilities in container security configurations should be remediated",
"description": "Enable or disable container benchmark monitoring"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ASCDependencyAgentAuditWindowsEffect": {
"type": "String",
"metadata": {
"displayName": "Audit Dependency Agent for Windows VMs monitoring",
"description": "Enable or disable Dependency Agent for Windows VMs"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ASCDependencyAgentAuditLinuxEffect": {
"type": "String",
"metadata": {
"displayName": "Audit Dependency Agent for Linux VMs monitoring",
"description": "Enable or disable Dependency Agent for Linux VMs"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"AzureFirewallEffect": {
"type": "String",
"metadata": {
"displayName": "All Internet traffic should be routed via your deployed Azure Firewall",
"description": "Enable or disable All Internet traffic should be routed via your deployed Azure Firewall"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ArcWindowsMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Log Analytics agent should be installed on your Windows Azure Arc machines",
"description": "Enable or disable Log Analytics agent should be installed on your Windows Azure Arc machines"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ArcLinuxMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Log Analytics agent should be installed on your Linux Azure Arc machines",
"description": "Enable or disable Log Analytics agent should be installed on your Linux Azure Arc machines"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"keyVaultsAdvancedDataSecurityMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Azure Defender for Key Vault should be enabled",
"description": "Enable or disable Azure Defender for Key Vault"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlServersAdvancedDataSecurityMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Azure Defender for Azure SQL Database servers should be enabled",
"description": "Enable or disable Azure Defender for Azure SQL Database servers"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sqlServersVirtualMachinesAdvancedDataSecurityMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Azure Defender for SQL servers on machines should be enabled",
"description": "Enable or disable Azure Defender for SQL servers on Machines"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"storageAccountsAdvancedDataSecurityMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Azure Defender for Storage should be enabled",
"description": "Enable or disable Azure Defender for storage"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"appServicesAdvancedThreatProtectionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Azure Defender for App Services should be enabled",
"description": "Enable or disable Azure Defender for App Service"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"containerRegistryAdvancedThreatProtectionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Azure Defender for container registries should be enabled",
"description": "Enable or disable Azure Defender for container registries"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"kubernetesServiceAdvancedThreatProtectionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Azure Defender for Kubernetes should be enabled",
"description": "Enable or disable Azure Defender for Kubernetes"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"virtualMachinesAdvancedThreatProtectionMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Azure Defender for servers should be enabled",
"description": "Enable or disable Azure Defender for servers"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"azurePolicyAddonStatusEffect": {
"type": "String",
"metadata": {
"displayName": "Azure Policy Add-on for Kubernetes should be installed and enabled on Azure Kubernetes Service (AKS) clusters",
"description": "Enable or disable reporting of the Azure Policy Add-on is enabled on Azure Kubernetes managed cluster"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"allowedContainerImagesInKubernetesClusterEffect": {
"type": "String",
"metadata": {
"displayName": "Container images should be deployed from trusted registries only",
"description": "Enable or disable monitoring of allowed container images in Kubernetes clusters"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"allowedContainerImagesInKubernetesClusterRegex": {
"type": "String",
"metadata": {
"displayName": "Allowed container images regex",
"description": "The RegEx rule used to match allowed container images in a Kubernetes cluster. For example, to allow any Azure Container Registry image by matching partial path: ^.+azurecr.io/.+$"
},
"defaultValue": "^(.+){0}$"
},
"allowedContainerImagesNamespaceExclusion": {
"type": "Array",
"metadata": {
"displayName": "Kubernetes namespaces to exclude from monitoring of allowed container images",
"description": "List of Kubernetes namespaces to exclude from evaluation of allowed container images in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"privilegedContainersShouldBeAvoidedEffect": {
"type": "String",
"metadata": {
"displayName": "Privileged containers should be avoided",
"description": "Enable or disable monitoring of privileged containers in Kubernetes clusters"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"privilegedContainerNamespaceExclusion": {
"type": "Array",
"metadata": {
"displayName": "Kubernetes namespaces to exclude from monitoring of privileged containers",
"description": "List of Kubernetes namespaces to exclude from evaluation of privileged containers in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"allowedContainerPortsInKubernetesClusterEffect": {
"type": "String",
"metadata": {
"displayName": "Containers should listen on allowed ports only",
"description": "Enable or disable monitoring of allowed container ports in Kubernetes clusters"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"allowedContainerPortsInKubernetesClusterPorts": {
"type": "Array",
"metadata": {
"displayName": "Allowed container ports list",
"description": "List of container ports allowed in Kubernetes cluster. Use ; to separate values"
},
"defaultValue": [
"-1"
]
},
"allowedContainerPortsInKubernetesClusterNamespaceExclusion": {
"type": "Array",
"metadata": {
"displayName": "Kubernetes namespaces to exclude from monitoring of allowed container port",
"description": "List of Kubernetes namespaces to exclude from evaluation of allowed container ports in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"allowedServicePortsInKubernetesClusterEffect": {
"type": "String",
"metadata": {
"displayName": "Services should listen on allowed ports only",
"description": "Enable or disable monitoring of allowed service ports in Kubernetes clusters"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"allowedservicePortsInKubernetesClusterPorts": {
"type": "Array",
"metadata": {
"displayName": "Allowed service ports list",
"description": "List of service ports allowed in Kubernetes cluster. Use ; to separate values"
},
"defaultValue": [
"-1"
]
},
"allowedServicePortsInKubernetesClusterNamespaceExclusion": {
"type": "Array",
"metadata": {
"displayName": "Kubernetes namespaces to exclude from monitoring of allowed service ports",
"description": "List of Kubernetes namespaces to exclude from evaluation of allowed service ports in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"NoPrivilegeEscalationInKubernetesClusterEffect": {
"type": "String",
"metadata": {
"displayName": "Container with privileged escalation should be avoided",
"description": "Enable or disable monitoring of privileged escalation containers in Kubernetes clusters"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"NoPrivilegeEscalationInKubernetesClusterNamespaceExclusion": {
"type": "Array",
"metadata": {
"displayName": "Kubernetes namespaces to exclude from monitoring of privileged escalation containers",
"description": "List of Kubernetes namespaces to exclude from evaluation of privileged escalation containers in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"NoSharingSensitiveHostNamespacesInKubernetesEffect": {
"type": "String",
"metadata": {
"displayName": "Containers sharing sensitive host namespaces should be avoided",
"description": "Enable or disable monitoring of shared sensitive host namespaces in Kubernetes clusters"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"NoSharingSensitiveHostNamespacesInKubernetesNamespaceExclusion": {
"type": "Array",
"metadata": {
"displayName": "Kubernetes namespaces to exclude from monitoring of sharing sensitive host namespaces in Kubernetes clusters",
"description": "List of Kubernetes namespaces to exclude from evaluation of sharing sensitive host namespaces in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"ReadOnlyRootFileSystemInKubernetesClusterEffect": {
"type": "String",
"metadata": {
"displayName": "Immutable (read-only) root filesystem should be enforced for containers",
"description": "Enable or disable monitoring of containers running with a read only root file system in Kubernetes clusters"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"ReadOnlyRootFileSystemInKubernetesClusterNamespaceExclusion": {
"type": "Array",
"metadata": {
"displayName": "Kubernetes namespaces to exclude from monitoring of containers running with a read only root file system",
"description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers running with a read only root file system in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"AllowedCapabilitiesInKubernetesClusterEffect": {
"type": "String",
"metadata": {
"displayName": "Least privileged Linux capabilities should be enforced for containers",
"description": "Enable or disable monitoring of Kubernetes containers using allowed capabilities only"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"AllowedCapabilitiesInKubernetesClusterNamespaceExclusion": {
"type": "Array",
"metadata": {
"displayName": "Kubernetes namespaces to exclude from monitoring of containers use only allowed capabilities",
"description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers using only allowed capabilities in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"AllowedCapabilitiesInKubernetesClusterList": {
"type": "Array",
"metadata": {
"displayName": "Allowed capabilities",
"description": "The list of capabilities that are allowed to be added to a container. Provide empty list as input to block everything."
},
"defaultValue": [
]
},
"DropCapabilitiesInKubernetesClusterList": {
"type": "Array",
"metadata": {
"displayName": "Required drop capabilities",
"description": "The list of capabilities that must be dropped by a container."
},
"defaultValue": [
]
},
"AllowedAppArmorProfilesInKubernetesClusterEffect": {
"type": "String",
"metadata": {
"displayName": "Overriding or disabling of containers AppArmor profile should be restricted",
"description": "Enable or disable monitoring of modification of Kubernetes containers' AppArmor profile"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"AllowedAppArmorProfilesInKubernetesClusterNamespaceExclusion": {
"type": "Array",
"metadata": {
"displayName": "Kubernetes namespaces to exclude from monitoring of containers modification of AppArmor profile",
"description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers modifying of AppArmor profile in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"AllowedAppArmorProfilesInKubernetesClusterList": {
"type": "Array",
"metadata": {
"displayName": "Allowed AppArmor profiles",
"description": "The list of AppArmor profiles that containers are allowed to use. E.g. 'runtime/default;docker/default'. Provide empty list as input to block everything."
},
"defaultValue": [
]
},
"AllowedHostNetworkingAndPortsInKubernetesClusterEffect": {
"type": "String",
"metadata": {
"displayName": "Usage of host networking and ports should be restricted",
"description": "Enable or disable monitoring of Kubernetes containers' host networking and port ranges"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"AllowedHostNetworkingAndPortsInKubernetesClusterNamespaceExclusion": {
"type": "Array",
"metadata": {
"displayName": "Kubernetes namespaces to exclude from monitoring of containers host networking and ports",
"description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers host networking and ports in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"AllowHostNetworkingInKubernetesCluster": {
"type": "Boolean",
"metadata": {
"displayName": "Allow host network usage",
"description": "Set this value to true if pod is allowed to use host network otherwise false."
},
"defaultValue": false
},
"AllowedHostMinPortInKubernetesCluster": {
"type": "Integer",
"metadata": {
"displayName": "Min host port",
"description": "The minimum value in the allowable host port range that pods can use in the host network namespace."
},
"defaultValue": 0
},
"AllowedHostMaxPortInKubernetesCluster": {
"type": "Integer",
"metadata": {
"displayName": "Max host port",
"description": "The maximum value in the allowable host port range that pods can use in the host network namespace."
},
"defaultValue": 0
},
"AllowedHostPathVolumesInKubernetesClusterEffect": {
"type": "String",
"metadata": {
"displayName": "Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers",
"description": "Enable or disable monitoring of pod HostPath volume mounts in Kubernetes clusters"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"AllowedHostPathVolumesInKubernetesClusterNamespaceExclusion": {
"type": "Array",
"metadata": {
"displayName": "Kubernetes namespaces to exclude from monitoring of pod HostPath volume mounts",
"description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of pod HostPath volume mounts in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"AllowedHostPathVolumesInKubernetesClusterList": {
"type": "Object",
"metadata": {
"displayName": "Allowed host paths",
"description": "The host paths allowed for pod hostPath volumes to use. Provide an empty paths list to block all host paths.",
"schema": {
"type": "object",
"properties": {
"paths": {
"type": "array",
"items": {
"type": "object",
"properties": {
"pathPrefix": {
"type": "string"
},
"readOnly": {
"type": "boolean"
}
},
"required": [
"pathPrefix",
"readOnly"
],
"additionalProperties": false
}
}
},
"required": [
"paths"
],
"additionalProperties": false
}
},
"defaultValue": {
"paths": [
]
}
},
"memoryAndCPULimitsInKubernetesClusterEffect": {
"type": "String",
"metadata": {
"displayName": "Containers' CPU and memory limits should be enforced",
"description": "Enable or disable monitoring of containers' CPU and memory limits in Kubernetes clusters"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"memoryInKubernetesClusterLimit": {
"type": "String",
"metadata": {
"displayName": "Max allowed memory bytes in Kubernetes cluster",
"description": "The maximum memory bytes allowed for a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits"
},
"defaultValue": "0"
},
"CPUInKubernetesClusterLimit": {
"type": "String",
"metadata": {
"displayName": "Max allowed CPU units in Kubernetes cluster",
"description": "The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"
},
"defaultValue": "0"
},
"memoryAndCPULimitsInKubernetesClusterNamespaceExclusion": {
"type": "Array",
"metadata": {
"displayName": "Kubernetes namespaces to exclude from monitoring of memory and CPU limits",
"description": "List of Kubernetes namespaces to exclude from evaluation of memory and CPU limits in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"MustRunAsNonRootNamespaceExclusion": {
"type": "Array",
"metadata": {
"displayName": "Kubernetes namespaces to exclude from monitoring of containers running as root user",
"description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers running as root users. To list multiple namespaces, use semicolons (;) to separate them."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"MustRunAsNonRootNamespaceEffect": {
"type": "String",
"metadata": {
"displayName": "Kubernetes containers should not be run as root user",
"description": "Enable or disable monitoring of containers running as root user in Kubernetes nodes"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"containerRegistryVulnerabilityAssessmentEffect": {
"type": "String",
"metadata": {
"displayName": "Vulnerabilities in Azure Container Registry images should be remediated",
"description": "Enable or disable monitoring of Azure container registries by Azure Security Center vulnerability assessment (powered by Qualys)"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"disallowPublicBlobAccessEffect": {
"type": "String",
"metadata": {
"displayName": "Storage account public access should be disallowed",
"description": "Enable or disable reporting of Storage Accounts that allow public access"
},
"allowedValues": [
"audit",
"deny",
"disabled"
],
"defaultValue": "audit"
},
"azureBackupShouldBeEnabledForVirtualMachinesMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Azure Backup should be enabled for Virtual Machines",
"description": "Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"managedIdentityShouldBeUsedInYourFunctionAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Managed identity should be used in your Function App",
"description": "Use a managed identity for enhanced authentication security"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"georedundantBackupShouldBeEnabledForAzureDatabaseForMariadbMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Georedundant backup should be enabled for Azure Database for MariaDB",
"description": "Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create."
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"managedIdentityShouldBeUsedInYourWebAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Managed identity should be used in your Web App",
"description": "Use a managed identity for enhanced authentication security"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"georedundantBackupShouldBeEnabledForAzureDatabaseForPostgresqlMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Georedundant backup should be enabled for Azure Database for PostgreSQL",
"description": "Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create."
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"ensureWEBAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Ensure WEB app has Client Certificates Incoming client certificates set to On",
"description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app."
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"georedundantBackupShouldBeEnabledForAzureDatabaseForMysqlMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Georedundant backup should be enabled for Azure Database for MySQL",
"description": "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create."
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"latestTLSVersionShouldBeUsedInYourAPIAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Latest TLS version should be used in your API App",
"description": "Upgrade to the latest TLS version"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"diagnosticLogsInAppServicesShouldBeEnabledMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Diagnostic logs in App Services should be enabled",
"description": "Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"managedIdentityShouldBeUsedInYourAPIAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Managed identity should be used in your API App",
"description": "Use a managed identity for enhanced authentication security"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"enforceSSLConnectionShouldBeEnabledForPostgresqlDatabaseServersMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Enforce SSL connection should be enabled for PostgreSQL database servers",
"description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server."
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"enforceSSLConnectionShouldBeEnabledForMysqlDatabaseServersMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Enforce SSL connection should be enabled for MySQL database servers",
"description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server."
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"latestTLSVersionShouldBeUsedInYourWebAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Latest TLS version should be used in your Web App",
"description": "Upgrade to the latest TLS version"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"latestTLSVersionShouldBeUsedInYourFunctionAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Latest TLS version should be used in your Function App",
"description": "Upgrade to the latest TLS version"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Ensure that PHP version is the latest if used as a part of the API app",
"description": "Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheWEBAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Ensure that PHP version is the latest if used as a part of the WEB app",
"description": "Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Ensure that Java version is the latest if used as a part of the Web app",
"description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Ensure that Java version is the latest if used as a part of the Function app",
"description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Ensure that Java version is the latest if used as a part of the API app",
"description": "Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Ensure that Python version is the latest if used as a part of the Web app",
"description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Ensure that Python version is the latest if used as a part of the Function app",
"description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Ensure that Python version is the latest if used as a part of the API app",
"description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"privateEndpointShouldBeEnabledForPostgresqlServersMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Private endpoint should be enabled for PostgreSQL servers",
"description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"privateEndpointShouldBeEnabledForMariadbServersMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Private endpoint should be enabled for MariaDB servers",
"description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"privateEndpointShouldBeEnabledForMysqlServersMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "Private endpoint should be enabled for MySQL servers",
"description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"sQLServersShouldBeConfiguredWithAuditingRetentionDaysGreaterThan90DaysMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "SQL servers should be configured with auditing retention days greater than 90 days",
"description": "Audit SQL servers configured with an auditing retention period of less than 90 days."
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"fTPSOnlyShouldBeRequiredInYourFunctionAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "FTPS only should be required in your Function App",
"description": "Enable FTPS enforcement for enhanced security"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"fTPSShouldBeRequiredInYourWebAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "FTPS should be required in your Web App",
"description": "Enable FTPS enforcement for enhanced security"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"fTPSOnlyShouldBeRequiredInYourAPIAppMonitoringEffect": {
"type": "String",
"metadata": {
"displayName": "FTPS only should be required in your API App",
"description": "Enable FTPS enforcement for enhanced security"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyDefinitions": [
{
"policyDefinitionReferenceId": "useServicePrincipalToProtectSubscriptionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414",
"parameters": {
"effect": {
"value": "[parameters('useServicePrincipalToProtectSubscriptionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "updateOsVersionMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5a913c68-0590-402c-a531-e57e19379da3",
"parameters": {
"effect": {
"value": "[parameters('updateOsVersionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "resolveLogAnalyticsHealthIssuesMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65",
"parameters": {
"effect": {
"value": "[parameters('resolveLogAnalyticsHealthIssuesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "installLogAnalyticsAgentOnVmMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499",
"parameters": {
"effect": {
"value": "[parameters('installLogAnalyticsAgentOnVmMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "installLogAnalyticsAgentOnVmssMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b",
"parameters": {
"effect": {
"value": "[parameters('installLogAnalyticsAgentOnVmssMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "certificatesValidityPeriodMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560",
"parameters": {
"effect": {
"value": "[parameters('certificatesValidityPeriodMonitoringEffect')]"
},
"maximumValidityInMonths": {
"value": "[parameters('certificatesValidityPeriodInMonths')]"
}
}
},
{
"policyDefinitionReferenceId": "vmssOsVulnerabilitiesMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
"parameters": {
"effect": {
"value": "[parameters('vmssOsVulnerabilitiesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "vmssEndpointProtectionMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
"parameters": {
"effect": {
"value": "[parameters('vmssEndpointProtectionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
"parameters": {
"effect": {
"value": "[parameters('vmssSystemUpdatesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "azurePolicyforWindowsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5fc23db3-dd4d-4c56-bcc7-43626243e601",
"parameters": {
"effect": {
"value": "[parameters('azurePolicyforWindowsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "windowsDefenderExploitGuardMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40",
"parameters": {
"effect": {
"value": "[parameters('windowsDefenderExploitGuardMonitoringEffect')]"
},
"NotAvailableMachineState": {
"value": "Compliant"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInIoTHubMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInIoTHubMonitoringEffect')]"
},
"requiredRetentionDays": {
"value": "[parameters('diagnosticsLogsInIoTHubRetentionDays')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInServiceFabricMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInServiceFabricMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "disableUnrestrictedNetworkToStorageAccountMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
"parameters": {
"effect": {
"value": "[parameters('disableUnrestrictedNetworkToStorageAccountMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "useRbacRulesMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
"parameters": {
"effect": {
"value": "[parameters('useRbacRulesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInStreamAnalyticsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInStreamAnalyticsMonitoringEffect')]"
},
"requiredRetentionDays": {
"value": "[parameters('diagnosticsLogsInStreamAnalyticsRetentionDays')]"
}
}
},
{
"policyDefinitionReferenceId": "secureTransferToStorageAccountMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
"parameters": {
"effect": {
"value": "[parameters('secureTransferToStorageAccountMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "aadAuthenticationInSqlServerMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
"parameters": {
"effect": {
"value": "[parameters('aadAuthenticationInSqlServerMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInServiceBusMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInServiceBusMonitoringEffect')]"
},
"requiredRetentionDays": {
"value": "[parameters('diagnosticsLogsInServiceBusRetentionDays')]"
}
}
},
{
"policyDefinitionReferenceId": "clusterProtectionLevelInServiceFabricMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
"parameters": {
"effect": {
"value": "[parameters('clusterProtectionLevelInServiceFabricMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "aadAuthenticationInServiceFabricMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
"parameters": {
"effect": {
"value": "[parameters('aadAuthenticationInServiceFabricMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInSearchServiceMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInSearchServiceMonitoringEffect')]"
},
"requiredRetentionDays": {
"value": "[parameters('diagnosticsLogsInSearchServiceRetentionDays')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInRedisCacheMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInRedisCacheMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInLogicAppsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInLogicAppsMonitoringEffect')]"
},
"requiredRetentionDays": {
"value": "[parameters('diagnosticsLogsInLogicAppsRetentionDays')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInKeyVaultMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInKeyVaultMonitoringEffect')]"
},
"requiredRetentionDays": {
"value": "[parameters('diagnosticsLogsInKeyVaultRetentionDays')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInEventHubMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInEventHubMonitoringEffect')]"
},
"requiredRetentionDays": {
"value": "[parameters('diagnosticsLogsInEventHubRetentionDays')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInDataLakeStoreMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInDataLakeStoreMonitoringEffect')]"
},
"requiredRetentionDays": {
"value": "[parameters('diagnosticsLogsInDataLakeStoreRetentionDays')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInDataLakeAnalyticsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInDataLakeAnalyticsMonitoringEffect')]"
},
"requiredRetentionDays": {
"value": "[parameters('diagnosticsLogsInDataLakeAnalyticsRetentionDays')]"
}
}
},
{
"policyDefinitionReferenceId": "classicStorageAccountsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
"parameters": {
"effect": {
"value": "[parameters('classicStorageAccountsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "classicComputeVMsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
"parameters": {
"effect": {
"value": "[parameters('classicComputeVMsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticsLogsInBatchAccountMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
"parameters": {
"effect": {
"value": "[parameters('diagnosticsLogsInBatchAccountMonitoringEffect')]"
},
"requiredRetentionDays": {
"value": "[parameters('diagnosticsLogsInBatchAccountRetentionDays')]"
}
}
},
{
"policyDefinitionReferenceId": "encryptionOfAutomationAccountMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
"parameters": {
"effect": {
"value": "[parameters('encryptionOfAutomationAccountMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "sqlDbEncryptionMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
"parameters": {
"effect": {
"value": "[parameters('sqlDbEncryptionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "sqlServerAuditingMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
"parameters": {
"effect": {
"value": "[parameters('sqlServerAuditingMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "systemUpdatesMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
"parameters": {
"effect": {
"value": "[parameters('systemUpdatesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "jitNetworkAccessMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
"parameters": {
"effect": {
"value": "[parameters('jitNetworkAccessMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "adaptiveApplicationControlsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
"parameters": {
"effect": {
"value": "[parameters('adaptiveApplicationControlsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "adaptiveApplicationControlsUpdateMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534",
"parameters": {
"effect": {
"value": "[parameters('adaptiveApplicationControlsUpdateMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "networkSecurityGroupsOnSubnetsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
"parameters": {
"effect": {
"value": "[parameters('networkSecurityGroupsOnSubnetsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "networkSecurityGroupsOnVirtualMachinesMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
"parameters": {
"effect": {
"value": "[parameters('networkSecurityGroupsOnVirtualMachinesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "networkSecurityGroupsOnInternalVirtualMachinesMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6",
"parameters": {
"effect": {
"value": "[parameters('networkSecurityGroupsOnInternalVirtualMachinesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "systemConfigurationsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
"parameters": {
"effect": {
"value": "[parameters('systemConfigurationsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "endpointProtectionMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
"parameters": {
"effect": {
"value": "[parameters('endpointProtectionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "diskEncryptionMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
"parameters": {
"effect": {
"value": "[parameters('diskEncryptionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "vulnerabilityAssessmentMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c",
"parameters": {
"effect": {
"value": "[parameters('vulnerabilityAssesmentMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "serverVulnerabilityAssessment",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
"parameters": {
"effect": {
"value": "[parameters('serverVulnerabilityAssessmentEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "nextGenerationFirewallMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
"parameters": {
"effect": {
"value": "[parameters('nextGenerationFirewallMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "sqlDbVulnerabilityAssesmentMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
"parameters": {
"effect": {
"value": "[parameters('sqlDbVulnerabilityAssesmentMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "sqlDbDataClassificationMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
"parameters": {
"effect": {
"value": "[parameters('sqlDbDataClassificationMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityDesignateLessThanOwnersMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
"parameters": {
"effect": {
"value": "[parameters('identityDesignateLessThanOwnersMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityDesignateMoreThanOneOwnerMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
"parameters": {
"effect": {
"value": "[parameters('identityDesignateMoreThanOneOwnerMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityEnableMFAForOwnerPermissionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
"parameters": {
"effect": {
"value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityEnableMFAForWritePermissionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
"parameters": {
"effect": {
"value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityEnableMFAForReadPermissionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
"parameters": {
"effect": {
"value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
"parameters": {
"effect": {
"value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityRemoveDeprecatedAccountMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
"parameters": {
"effect": {
"value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityRemoveExternalAccountWithOwnerPermissionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
"parameters": {
"effect": {
"value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityRemoveExternalAccountWithWritePermissionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
"parameters": {
"effect": {
"value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "identityRemoveExternalAccountWithReadPermissionsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
"parameters": {
"effect": {
"value": "[parameters('identityRemoveExternalAccountWithReadPermissionsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "apiAppDisableRemoteDebuggingMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
"parameters": {
"effect": {
"value": "[parameters('apiAppDisableRemoteDebuggingMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "functionAppDisableRemoteDebuggingMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
"parameters": {
"effect": {
"value": "[parameters('functionAppDisableRemoteDebuggingMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "webAppDisableRemoteDebuggingMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
"parameters": {
"effect": {
"value": "[parameters('webAppDisableRemoteDebuggingMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "apiAppEnforceHttpsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
"parameters": {
"effect": {
"value": "[parameters('apiAppEnforceHttpsMonitoringEffectV2')]"
}
}
},
{
"policyDefinitionReferenceId": "functionAppEnforceHttpsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
"parameters": {
"effect": {
"value": "[parameters('functionAppEnforceHttpsMonitoringEffectV2')]"
}
}
},
{
"policyDefinitionReferenceId": "webAppEnforceHttpsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
"parameters": {
"effect": {
"value": "[parameters('webAppEnforceHttpsMonitoringEffectV2')]"
}
}
},
{
"policyDefinitionReferenceId": "apiAppRestrictCORSAccessMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
"parameters": {
"effect": {
"value": "[parameters('apiAppRestrictCORSAccessMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "functionAppRestrictCORSAccessMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5",
"parameters": {
"effect": {
"value": "[parameters('functionAppRestrictCORSAccessMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "webAppRestrictCORSAccessMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
"parameters": {
"effect": {
"value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "vnetEnableDDoSProtectionMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
"parameters": {
"effect": {
"value": "[parameters('vnetEnableDDoSProtectionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "sqlServerAdvancedDataSecurityMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
"parameters": {
"effect": {
"value": "[parameters('sqlServerAdvancedDataSecurityMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "sqlManagedInstanceAdvancedDataSecurityMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
"parameters": {
"effect": {
"value": "[parameters('sqlManagedInstanceAdvancedDataSecurityMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "kubernetesServiceRbacEnabledMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
"parameters": {
"effect": {
"value": "[parameters('kubernetesServiceRbacEnabledMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "kubernetesServiceVersionUpToDateMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c",
"parameters": {
"effect": {
"value": "[parameters('kubernetesServiceVersionUpToDateMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "kubernetesServiceAuthorizedIPRangesEnabledMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
"parameters": {
"effect": {
"value": "[parameters('kubernetesServiceAuthorizedIPRangesEnabledMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "vulnerabilityAssessmentOnServerMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
"parameters": {
"effect": {
"value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "vulnerabilityAssessmentOnManagedInstanceMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
"parameters": {
"effect": {
"value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "adaptiveNetworkHardeningsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
"parameters": {
"effect": {
"value": "[parameters('adaptiveNetworkHardeningsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "restrictAccessToManagementPortsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
"parameters": {
"effect": {
"value": "[parameters('restrictAccessToManagementPortsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "disableIPForwardingMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744",
"parameters": {
"effect": {
"value": "[parameters('disableIPForwardingMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ensureServerTDEIsEncryptedWithYourOwnKeyMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
"parameters": {
"effect": {
"value": "[parameters('ensureServerTDEIsEncryptedWithYourOwnKeyMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
"parameters": {
"effect": {
"value": "[parameters('ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "containerBenchmarkMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
"parameters": {
"effect": {
"value": "[parameters('containerBenchmarkMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ASCDependencyAgentAuditWindowsEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
"parameters": {
"effect": {
"value": "[parameters('ASCDependencyAgentAuditWindowsEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ASCDependencyAgentAuditLinuxEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602",
"parameters": {
"effect": {
"value": "[parameters('ASCDependencyAgentAuditLinuxEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "AzureFirewallEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c",
"parameters": {
"effect": {
"value": "[parameters('AzureFirewallEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ArcWindowsMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e",
"parameters": {
"effect": {
"value": "[parameters('ArcWindowsMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ArcLinuxMonitoring",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373",
"parameters": {
"effect": {
"value": "[parameters('ArcLinuxMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "keyVaultsAdvancedDataSecurityMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047",
"parameters": {
"effect": {
"value": "[parameters('keyVaultsAdvancedDataSecurityMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "sqlServersAdvancedDataSecurityMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
"parameters": {
"effect": {
"value": "[parameters('sqlServersAdvancedDataSecurityMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "sqlServersVirtualMachinesAdvancedDataSecurityMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b",
"parameters": {
"effect": {
"value": "[parameters('sqlServersVirtualMachinesAdvancedDataSecurityMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "storageAccountsAdvancedDataSecurityMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
"parameters": {
"effect": {
"value": "[parameters('storageAccountsAdvancedDataSecurityMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "appServicesAdvancedThreatProtectionMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb",
"parameters": {
"effect": {
"value": "[parameters('appServicesAdvancedThreatProtectionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "containerRegistryAdvancedThreatProtectionMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
"parameters": {
"effect": {
"value": "[parameters('containerRegistryAdvancedThreatProtectionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "kubernetesServiceAdvancedThreatProtectionMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a",
"parameters": {
"effect": {
"value": "[parameters('kubernetesServiceAdvancedThreatProtectionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "virtualMachinesAdvancedThreatProtectionMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d",
"parameters": {
"effect": {
"value": "[parameters('virtualMachinesAdvancedThreatProtectionMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "azurePolicyAddonStatus",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d",
"parameters": {
"effect": {
"value": "[parameters('azurePolicyAddonStatusEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ensureAllowedContainerImagesInKubernetesCluster",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469",
"parameters": {
"effect": {
"value": "[parameters('allowedContainerImagesInKubernetesClusterEffect')]"
},
"allowedContainerImagesRegex": {
"value": "[parameters('allowedContainerImagesInKubernetesClusterRegex')]"
},
"excludedNamespaces": {
"value": "[parameters('allowedContainerImagesNamespaceExclusion')]"
}
}
},
{
"policyDefinitionReferenceId": "privilegedContainersShouldBeAvoided",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
"parameters": {
"effect": {
"value": "[parameters('privilegedContainersShouldBeAvoidedEffect')]"
},
"excludedNamespaces": {
"value": "[parameters('privilegedContainerNamespaceExclusion')]"
}
}
},
{
"policyDefinitionReferenceId": "allowedContainerPortsInKubernetesCluster",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc",
"parameters": {
"effect": {
"value": "[parameters('allowedContainerPortsInKubernetesClusterEffect')]"
},
"allowedContainerPortsList": {
"value": "[parameters('allowedContainerPortsInKubernetesClusterPorts')]"
},
"excludedNamespaces": {
"value": "[parameters('allowedContainerPortsInKubernetesClusterNamespaceExclusion')]"
}
}
},
{
"policyDefinitionReferenceId": "allowedServicePortsInKubernetesCluster",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44",
"parameters": {
"effect": {
"value": "[parameters('allowedServicePortsInKubernetesClusterEffect')]"
},
"allowedServicePortsList": {
"value": "[parameters('allowedservicePortsInKubernetesClusterPorts')]"
},
"excludedNamespaces": {
"value": "[parameters('allowedServicePortsInKubernetesClusterNamespaceExclusion')]"
}
}
},
{
"policyDefinitionReferenceId": "memoryAndCPULimitsInKubernetesCluster",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164",
"parameters": {
"effect": {
"value": "[parameters('memoryAndCPULimitsInKubernetesClusterEffect')]"
},
"cpuLimit": {
"value": "[parameters('CPUInKubernetesClusterLimit')]"
},
"memoryLimit": {
"value": "[parameters('memoryInKubernetesClusterLimit')]"
},
"excludedNamespaces": {
"value": "[parameters('memoryAndCPULimitsInKubernetesClusterNamespaceExclusion')]"
}
}
},
{
"policyDefinitionReferenceId": "MustRunAsNonRoot",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
"parameters": {
"effect": {
"value": "[parameters('MustRunAsNonRootNamespaceEffect')]"
},
"runAsUserRule": {
"value": "MustRunAsNonRoot"
},
"runAsUserRanges": {
"value": {
"ranges": [
]
}
},
"runAsGroupRule": {
"value": "MayRunAs"
},
"runAsGroupRanges": {
"value": {
"ranges": [
{
"min": 1,
"max": 65535
}
]
}
},
"supplementalGroupsRule": {
"value": "MayRunAs"
},
"supplementalGroupsRanges": {
"value": {
"ranges": [
{
"min": 1,
"max": 65535
}
]
}
},
"fsGroupRule": {
"value": "MayRunAs"
},
"fsGroupRanges": {
"value": {
"ranges": [
{
"min": 1,
"max": 65535
}
]
}
},
"excludedNamespaces": {
"value": "[parameters('MustRunAsNonRootNamespaceExclusion')]"
}
}
},
{
"policyDefinitionReferenceId": "containerRegistryVulnerabilityAssessment",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562",
"parameters": {
"effect": {
"value": "[parameters('containerRegistryVulnerabilityAssessmentEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "NoPrivilegeEscalationInKubernetesCluster",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
"parameters": {
"effect": {
"value": "[parameters('NoPrivilegeEscalationInKubernetesClusterEffect')]"
},
"excludedNamespaces": {
"value": "[parameters('NoPrivilegeEscalationInKubernetesClusterNamespaceExclusion')]"
}
}
},
{
"policyDefinitionReferenceId": "NoSharingSensitiveHostNamespacesInKubernetes",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
"parameters": {
"effect": {
"value": "[parameters('NoSharingSensitiveHostNamespacesInKubernetesEffect')]"
},
"excludedNamespaces": {
"value": "[parameters('NoSharingSensitiveHostNamespacesInKubernetesNamespaceExclusion')]"
}
}
},
{
"policyDefinitionReferenceId": "ReadOnlyRootFileSystemInKubernetesCluster",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80",
"parameters": {
"effect": {
"value": "[parameters('ReadOnlyRootFileSystemInKubernetesClusterEffect')]"
},
"excludedNamespaces": {
"value": "[parameters('ReadOnlyRootFileSystemInKubernetesClusterNamespaceExclusion')]"
}
}
},
{
"policyDefinitionReferenceId": "AllowedCapabilitiesInKubernetesCluster",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
"parameters": {
"effect": {
"value": "[parameters('AllowedCapabilitiesInKubernetesClusterEffect')]"
},
"excludedNamespaces": {
"value": "[parameters('AllowedCapabilitiesInKubernetesClusterNamespaceExclusion')]"
},
"allowedCapabilities": {
"value": "[parameters('AllowedCapabilitiesInKubernetesClusterList')]"
},
"requiredDropCapabilities": {
"value": "[parameters('DropCapabilitiesInKubernetesClusterList')]"
}
}
},
{
"policyDefinitionReferenceId": "AllowedAppArmorProfilesInKubernetesCluster",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e",
"parameters": {
"effect": {
"value": "[parameters('AllowedAppArmorProfilesInKubernetesClusterEffect')]"
},
"excludedNamespaces": {
"value": "[parameters('AllowedAppArmorProfilesInKubernetesClusterNamespaceExclusion')]"
},
"allowedProfiles": {
"value": "[parameters('AllowedAppArmorProfilesInKubernetesClusterList')]"
}
}
},
{
"policyDefinitionReferenceId": "AllowedHostNetworkingAndPortsInKubernetesCluster",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
"parameters": {
"effect": {
"value": "[parameters('AllowedHostNetworkingAndPortsInKubernetesClusterEffect')]"
},
"excludedNamespaces": {
"value": "[parameters('AllowedHostNetworkingAndPortsInKubernetesClusterNamespaceExclusion')]"
},
"allowHostNetwork": {
"value": "[parameters('AllowHostNetworkingInKubernetesCluster')]"
},
"minPort": {
"value": "[parameters('AllowedHostMinPortInKubernetesCluster')]"
},
"maxPort": {
"value": "[parameters('AllowedHostMaxPortInKubernetesCluster')]"
}
}
},
{
"policyDefinitionReferenceId": "AllowedHostPathVolumesInKubernetesCluster",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75",
"parameters": {
"effect": {
"value": "[parameters('AllowedHostPathVolumesInKubernetesClusterEffect')]"
},
"excludedNamespaces": {
"value": "[parameters('AllowedHostPathVolumesInKubernetesClusterNamespaceExclusion')]"
},
"allowedHostPaths": {
"value": "[parameters('AllowedHostPathVolumesInKubernetesClusterList')]"
}
}
},
{
"policyDefinitionReferenceId": "StorageDisallowPublicAccess",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
"parameters": {
"effect": {
"value": "[parameters('disallowPublicBlobAccessEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "azureBackupShouldBeEnabledForVirtualMachinesMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d",
"parameters": {
"effect": {
"value": "[parameters('azureBackupShouldBeEnabledForVirtualMachinesMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourFunctionAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
"parameters": {
"effect": {
"value": "[parameters('managedIdentityShouldBeUsedInYourFunctionAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "georedundantBackupShouldBeEnabledForAzureDatabaseForMariadbMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0",
"parameters": {
"effect": {
"value": "[parameters('georedundantBackupShouldBeEnabledForAzureDatabaseForMariadbMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourWebAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332",
"parameters": {
"effect": {
"value": "[parameters('managedIdentityShouldBeUsedInYourWebAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "georedundantBackupShouldBeEnabledForAzureDatabaseForPostgresqlMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430",
"parameters": {
"effect": {
"value": "[parameters('georedundantBackupShouldBeEnabledForAzureDatabaseForPostgresqlMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ensureWEBAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609",
"parameters": {
"effect": {
"value": "[parameters('ensureWEBAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "georedundantBackupShouldBeEnabledForAzureDatabaseForMysqlMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970",
"parameters": {
"effect": {
"value": "[parameters('georedundantBackupShouldBeEnabledForAzureDatabaseForMysqlMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourAPIAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
"parameters": {
"effect": {
"value": "[parameters('latestTLSVersionShouldBeUsedInYourAPIAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "diagnosticLogsInAppServicesShouldBeEnabledMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
"parameters": {
"effect": {
"value": "[parameters('diagnosticLogsInAppServicesShouldBeEnabledMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourAPIAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
"parameters": {
"effect": {
"value": "[parameters('managedIdentityShouldBeUsedInYourAPIAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "enforceSSLConnectionShouldBeEnabledForPostgresqlDatabaseServersMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
"parameters": {
"effect": {
"value": "[parameters('enforceSSLConnectionShouldBeEnabledForPostgresqlDatabaseServersMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "enforceSSLConnectionShouldBeEnabledForMysqlDatabaseServersMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
"parameters": {
"effect": {
"value": "[parameters('enforceSSLConnectionShouldBeEnabledForMysqlDatabaseServersMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourWebAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
"parameters": {
"effect": {
"value": "[parameters('latestTLSVersionShouldBeUsedInYourWebAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourFunctionAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
"parameters": {
"effect": {
"value": "[parameters('latestTLSVersionShouldBeUsedInYourFunctionAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
"parameters": {
"effect": {
"value": "[parameters('ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheWEBAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
"parameters": {
"effect": {
"value": "[parameters('ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheWEBAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
"parameters": {
"effect": {
"value": "[parameters('ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
"parameters": {
"effect": {
"value": "[parameters('ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
"parameters": {
"effect": {
"value": "[parameters('ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
"parameters": {
"effect": {
"value": "[parameters('ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
"parameters": {
"effect": {
"value": "[parameters('ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
"parameters": {
"effect": {
"value": "[parameters('ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForPostgresqlServersMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b",
"parameters": {
"effect": {
"value": "[parameters('privateEndpointShouldBeEnabledForPostgresqlServersMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForMariadbServersMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990",
"parameters": {
"effect": {
"value": "[parameters('privateEndpointShouldBeEnabledForMariadbServersMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForMysqlServersMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49",
"parameters": {
"effect": {
"value": "[parameters('privateEndpointShouldBeEnabledForMysqlServersMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "sQLServersShouldBeConfiguredWithAuditingRetentionDaysGreaterThan90DaysMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743",
"parameters": {
"effect": {
"value": "[parameters('sQLServersShouldBeConfiguredWithAuditingRetentionDaysGreaterThan90DaysMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "fTPSOnlyShouldBeRequiredInYourFunctionAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15",
"parameters": {
"effect": {
"value": "[parameters('fTPSOnlyShouldBeRequiredInYourFunctionAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "fTPSShouldBeRequiredInYourWebAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
"parameters": {
"effect": {
"value": "[parameters('fTPSShouldBeRequiredInYourWebAppMonitoringEffect')]"
}
}
},
{
"policyDefinitionReferenceId": "fTPSOnlyShouldBeRequiredInYourAPIAppMonitoringEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
"parameters": {
"effect": {
"value": "[parameters('fTPSOnlyShouldBeRequiredInYourAPIAppMonitoringEffect')]"
}
}
}
]
},
"id": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
"type": "Microsoft.Authorization/policySetDefinitions",
"name": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
}
|