last sync: 2021-Oct-15 16:53:14 UTC

Azure Policy Initiative

Azure Security Benchmark

NameAzure Security Benchmark
Azure Portal
Id1f3afdf9-d0c9-4c3d-847f-89da613e70a8
Version32.0.0
details on versioning
CategorySecurity Center
Microsoft docs
DescriptionThe Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.
TypeBuiltIn
DeprecatedFalse
PreviewFalse
History
Date/Time (UTC ymd) (i) Changes
2021-10-14 16:31:34 add Policy Azure Defender for open-source relational databases should be enabled (0a9fbe0d-c5c4-4da8-87d8-f4fd77338835)
2021-09-30 16:01:51 add Policy Kubernetes clusters should gate deployment of vulnerable images (13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759)
2021-09-23 15:53:12 add Policy Resource logs in Azure Kubernetes Service should be enabled (245fc9df-fa96-4414-9a0b-3738c2f7341c)
2021-09-03 15:41:53 add Policy Endpoint protection should be installed on your machines (1f7c564c-0a90-4d44-b7e1-9d456cffaee8)
add Policy Endpoint protection health issues should be resolved on your machines (8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2)
2021-08-27 15:09:16 add Policy [Preview]: Azure Kubernetes Service clusters should have Azure Defender profile enabled (a1840de2-8088-4ea8-b153-b4c723e9cb01)
2021-05-18 14:34:49 add Policy [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines (1cb4d9c2-f88f-4069-bee0-dba239a57b09)
add Policy [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets (f655e522-adff-494d-95c2-52d4f6d56a42)
add Policy Kubernetes clusters should disable automounting API credentials (423dd1ba-798e-40e4-9c4d-b6902674b423)
add Policy [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines (672fe5a1-2fcd-42d7-b85d-902b6e28c6ff)
add Policy [Preview]: vTPM should be enabled on supported virtual machines (1c30f9cd-b84c-49cc-aa2c-9288447cc3b3)
add Policy Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities (d2e7ea85-6b44-4317-a0be-1b951587f626)
add Policy [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets (a21f8c92-9e22-4f09-b759-50500d1d2dda)
add Policy Kubernetes clusters should not use the default namespace (9f061a12-e40d-4183-a00e-171812443373)
add Policy [Preview]: Secure Boot should be enabled on supported Windows virtual machines (97566dd7-78ae-4997-8b36-1c7bfe0d8121)
2021-05-04 14:34:05 remove Policy [Deprecated]: Operating system version should be the most current version for your cloud service roles (5a913c68-0590-402c-a531-e57e19379da3)
remove Policy Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version (fb893a29-21bb-418c-a157-e99480ec364c)
2021-04-21 13:28:48 remove Policy [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. (11566b39-f7f7-4b82-ab06-68d8700eb0a4)
remove Policy [Deprecated]: Cognitive Services accounts should enable data encryption (2bdd0062-9d75-436e-89df-487dd8e4b3c7)
2021-04-13 13:29:23 add Policy Azure Defender for Resource Manager should be enabled (c3d20c29-b36d-48fe-808b-99a87530ad99)
add Policy Azure Defender for DNS should be enabled (bdc59948-5574-49b3-bb91-76b7c986428d)
add Policy [Preview]: Linux machines should meet requirements for the Azure compute security baseline (fc9b3da7-8347-4380-8e70-0a0361d8dedd)
add Policy [Preview]: Windows machines should meet requirements of the Azure compute security baseline (72650e9f-97bc-4b2a-ab5f-9781a9fcecbc)
2021-03-24 14:32:49 add Policy [Preview]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed (8dfab9c4-fe7b-49ad-85e4-1e9be085358f)
2021-02-23 16:24:42 add Policy Azure Cosmos DB accounts should have firewall rules (862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb)
add Policy Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' (0c192fe8-9cbb-4516-85b3-0ade8bd03886)
add Policy API Management services should use a virtual network (ef619a2c-cc4d-4d03-b2ba-8c94a834d85b)
add Policy Network Watcher should be enabled (b6e2945c-0b7b-40f5-9233-7a5323b5cdc6)
add Policy Cognitive Services accounts should disable public network access (0725b4dd-7e76-479c-a735-68e7ee23d5ca)
add Policy [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. (11566b39-f7f7-4b82-ab06-68d8700eb0a4)
add Policy Private endpoint connections on Azure SQL Database should be enabled (7698e800-9299-47a6-b3b6-5a0fee576eed)
add Policy Public network access on Azure SQL Database should be disabled (1b8ca024-1d5c-4dec-8995-b1a932b41780)
add Policy Windows web servers should be configured to use secure communication protocols (5752e6d6-1206-46d8-8ab1-ecc2f71a8112)
add Policy Authentication to Linux machines should require SSH keys (630c64f9-8b6b-4c64-b511-6544ceff6fd6)
add Policy Cognitive Services accounts should restrict network access (037eea7a-bd0a-46c5-9a66-03aea78705d3)
add Policy [Deprecated]: Cognitive Services accounts should enable data encryption (2bdd0062-9d75-436e-89df-487dd8e4b3c7)
add Policy Kubernetes clusters should be accessible only over HTTPS (1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d)
2021-02-09 14:46:37 Description change: 'Monitor all the available security recommendations in Azure Security Center. This is the default policy for Azure Security Center.' to 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.'
Name change: 'Enable Monitoring in Azure Security Center' to 'Azure Security Benchmark'
2021-01-22 09:14:56 remove Policy [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution (760a85ff-6162-42b3-8d70-698e268f648c)
2021-01-05 16:06:49 add Policy MySQL servers should use customer-managed keys to encrypt data at rest (83cef61d-dbd1-4b20-a4fc-5fbc7da10833)
add Policy Azure Event Grid topics should use private link (4b90e17e-8448-49db-875e-bd83fb6f804f)
add Policy Public network access should be disabled for PostgreSQL servers (b52376f7-9612-48a1-81cd-1ffe4b61032c)
add Policy Container registries should not allow unrestricted network access (d0793b48-0edc-4296-a390-4c75d1bdfd71)
add Policy Cognitive Services accounts should enable data encryption with a customer-managed key (67121cc7-ff39-4ab8-b7e3-95b84dab487d)
add Policy Azure Machine Learning workspaces should use private link (40cec1dd-a100-4920-b15b-3024fe8901ab)
add Policy VM Image Builder templates should use private link (2154edb9-244f-4741-9970-660785bccdaa)
add Policy Public network access should be disabled for MariaDB servers (fdccbe47-f3e3-4213-ad5d-ea459b2fa077)
add Policy Email notification for high severity alerts should be enabled (6e2593d9-add6-4083-9c9b-4b7d2188c899)
add Policy Azure SignalR Service should use private link (53503636-bcc9-4748-9663-5348217f160f)
add Policy Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest (1f905d99-2ab7-462c-a6b0-f709acca6c8f)
add Policy SQL servers on machines should have vulnerability findings resolved (6ba6d016-e7c3-4842-b8f2-4992ebc0d72d)
add Policy PostgreSQL servers should use customer-managed keys to encrypt data at rest (18adea5e-f416-4d0f-8aa8-d24321e3e274)
add Policy App Configuration should use private link (ca610c1d-041c-4332-9d88-7ed3094967c7)
add Policy Azure Machine Learning workspaces should be encrypted with a customer-managed key (ba769a63-b8cc-4b2d-abf6-ac33c7204be8)
add Policy Email notification to subscription owner for high severity alerts should be enabled (0b15565f-aa9e-48ba-8619-45960f2c314d)
add Policy Storage accounts should restrict network access using virtual network rules (2a1a9cdf-e04d-429a-8416-3bfb72a1b26f)
add Policy Storage accounts should use private link (6edd7eda-6dd8-40f7-810d-67160c639cd9)
add Policy Azure Cache for Redis should reside within a virtual network (7d092e0a-7acd-40d2-a975-dca21cae48c4)
add Policy Key vaults should have purge protection enabled (0b60c0b2-2dc2-4e1c-b5c9-abbed971de53)
add Policy Storage accounts should use customer-managed key for encryption (6fac406b-40ca-413b-bf8e-0bf964659c25)
add Policy Container registries should be encrypted with a customer-managed key (5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580)
add Policy Azure Spring Cloud should use network injection (af35e2a4-ef96-44e7-a9ae-853dd97032c4)
add Policy Function apps should have 'Client Certificates (Incoming client certificates)' enabled (eaebaea7-8013-4ceb-9d14-7eb32271373c)
add Policy Web Application Firewall (WAF) should be enabled for Azure Front Door Service service (055aa869-bc98-4af8-bafc-23f1ab6ffe2c)
add Policy Key vaults should have soft delete enabled (1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d)
add Policy Public network access should be disabled for MySQL servers (d9844e8a-1437-4aeb-a32c-0c992f056095)
add Policy Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17)
add Policy [Preview]: Azure Key Vault should disable public network access (55615ac9-af46-4a59-874e-391cc3dfb490)
add Policy Azure Event Grid domains should use private link (9830b652-8523-49cc-b1b3-e17dce1127ca)
add Policy [Preview]: Private endpoint should be configured for Key Vault (5f0bc445-3935-4915-9981-011aa2b46147)
add Policy Subscriptions should have a contact email address for security issues (4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7)
add Policy Container registries should use private link (e8eef0a8-67cf-4eb4-9386-14b0e78733d4)
add Policy Web Application Firewall (WAF) should be enabled for Application Gateway (564feb30-bf6a-4854-b4bb-0d2d2d1e6c66)
2020-12-11 15:42:52 add Policy Key Vault secrets should have an expiration date (98728c90-32c7-4049-8429-847dc0f4fe37)
add Policy Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity (d26f7642-7545-4e18-9b75-8c9bbdee3a9a)
add Policy Key Vault keys should have an expiration date (152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0)
add Policy Guest Configuration extension should be installed on your machines (ae89ebca-1c92-4898-ac2c-9f63decb045c)
remove Policy [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled (5fc23db3-dd4d-4c56-bcc7-43626243e601)
2020-10-27 14:12:47 add Policy Geo-redundant backup should be enabled for Azure Database for MariaDB (0ec47710-77ff-4a3d-9181-6aa50af424d0)
add Policy Private endpoint should be enabled for MariaDB servers (0a1302fb-a631-4106-9753-f3d494733990)
add Policy Ensure that 'PHP version' is the latest, if used as a part of the WEB app (7261b898-8a84-4db8-9e04-18527132abb3)
add Policy Ensure that 'Python version' is the latest, if used as a part of the Web app (7008174a-fd10-4ef0-817e-fc820a951d73)
add Policy Geo-redundant backup should be enabled for Azure Database for MySQL (82339799-d096-41ae-8538-b108becf0970)
add Policy Enforce SSL connection should be enabled for PostgreSQL database servers (d158790f-bfb0-486c-8631-2dc6b4e8e6af)
add Policy Enforce SSL connection should be enabled for MySQL database servers (e802a67a-daf5-4436-9ea6-f6d821dd0c5d)
add Policy Ensure that 'Java version' is the latest, if used as a part of the Function app (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc)
add Policy Ensure that 'Python version' is the latest, if used as a part of the Function app (7238174a-fd10-4ef0-817e-fc820a951d73)
add Policy Geo-redundant backup should be enabled for Azure Database for PostgreSQL (48af4db5-9b8b-401c-8e74-076be876a430)
add Policy Private endpoint should be enabled for PostgreSQL servers (0564d078-92f5-4f97-8398-b9f58a51f70b)
add Policy Private endpoint should be enabled for MySQL servers (7595c971-233d-4bcf-bd18-596129188c49)
add Policy Ensure that 'Java version' is the latest, if used as a part of the Web app (496223c3-ad65-4ecd-878a-bae78737e9ed)
add Policy Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' (5bb220d9-2698-4ee4-8404-b9c30c9df609)
add Policy Ensure that 'PHP version' is the latest, if used as a part of the API app (1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba)
add Policy Ensure that 'Java version' is the latest, if used as a part of the API app (88999f4c-376a-45c8-bcb3-4058f713cf39)
add Policy Ensure that 'Python version' is the latest, if used as a part of the API app (74c3584d-afae-46f7-a20a-6f8adba71a16)
2020-10-13 13:23:38 add Policy Azure Backup should be enabled for Virtual Machines (013e242c-8828-4970-87b3-ab247555486d)
2020-09-15 14:06:41 add Policy [Deprecated]: Operating system version should be the most current version for your cloud service roles (5a913c68-0590-402c-a531-e57e19379da3)
add Policy Log Analytics agent health issues should be resolved on your machines (d62cfe2b-3ab0-4d41-980d-76803b58ca65)
add Policy Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring (a3a6ea0c-e018-4933-9ef0-5aaa1501449b)
add Policy Service principals should be used to protect your subscriptions instead of management certificates (6646a0bd-e110-40ca-bb97-84fcee63c414)
add Policy Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring (a4fe33eb-e377-4efb-ab31-0784311bc499)
remove Policy [Deprecated]: Pod Security Policies should be defined on Kubernetes Services (3abeb944-26af-43ee-b83d-32aaf060fb94)
2020-08-28 14:17:28 add Policy [Preview]: Storage account public access should be disallowed (4fa4b6c0-31ca-4c0d-b10d-24b96f62a751)
2020-08-20 14:04:33 add Policy Kubernetes cluster containers should only use allowed capabilities (c26596ff-4d70-4e6a-9a30-c2506bd2f80c)
add Policy Kubernetes cluster pods should only use approved host network and port range (82985f06-dc18-4a48-bc1c-b9f4f0098cfe)
add Policy Kubernetes cluster containers should not share host process ID or host IPC namespace (47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8)
add Policy Kubernetes cluster containers should only use allowed AppArmor profiles (511f5417-5d12-434d-ab2e-816901e72a5e)
add Policy Kubernetes cluster containers should run with a read only root file system (df49d893-a74c-421d-bc95-c663042e5b80)
add Policy Vulnerabilities in Azure Container Registry images should be remediated (5f0f936f-2f01-4bf5-b6be-d423792fa562)
add Policy Kubernetes clusters should not allow container privilege escalation (1c6e92c9-99f0-4e55-9cf2-0c234dc48f99)
add Policy Kubernetes cluster pod hostPath volumes should only use allowed host paths (098fc59e-46c7-4d99-9b16-64990e543d75)
remove Policy SQL Auditing settings should have Action-Groups configured to capture critical activities (7ff426e2-515f-405a-91c8-4f2333442eb5)
2020-08-07 14:05:08 add Policy Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters (0a15ec92-a229-4763-bb14-0ea34a568f8d)
add Policy Kubernetes cluster pods and containers should only run with approved user and group IDs (f06ddb64-5fa3-4b77-b166-acb36f7f6042)
add Policy Kubernetes cluster services should listen only on allowed ports (233a2a17-77ca-4fb1-9b6b-69223d272a44)
add Policy Kubernetes cluster should not allow privileged containers (95edb821-ddaf-4404-9732-666045e056b4)
add Policy Kubernetes cluster containers should only listen on allowed ports (440b515e-a580-421e-abeb-b159a61ddcbc)
add Policy Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits (e345eecc-fa47-480f-9e88-67dcc122b164)
add Policy Kubernetes cluster containers should only use allowed images (febd0533-8e55-448f-b837-bd0e06f16469)
2020-06-23 16:03:23 add Policy Azure Defender for Kubernetes should be enabled (523b5cd1-3e23-492f-a539-13118b6d1e3a)
add Policy Azure Defender for Azure SQL Database servers should be enabled (7fe3b40f-802b-4cdd-8bd4-fd799c948cc2)
add Policy Azure Defender for SQL servers on machines should be enabled (6581d072-105e-4418-827f-bd446d56421b)
add Policy Azure Defender for Key Vault should be enabled (0e6763cc-5078-4e64-889d-ff4d9a839047)
add Policy Azure Defender for servers should be enabled (4da35fc9-c9e7-4960-aec9-797fe7d9051d)
add Policy Azure Defender for Storage should be enabled (308fbb08-4ab8-4e67-9b29-592e93fb94fa)
add Policy Azure Defender for App Service should be enabled (2913021d-f2fd-4f3d-b958-22354e2bdbcb)
add Policy Azure Defender for container registries should be enabled (c25d9a16-bc35-4e15-a7e5-9db606bf9ed4)
remove Policy [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts (9677b740-f641-4f3c-b9c5-466005c85278)
remove Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings (bda18df3-5e41-4709-add9-2554ce68c966)
remove Policy [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts (3965c43d-b5f4-482e-b74a-d89ee0e0b3a8)
remove Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings (e756b945-1b1b-480b-8de8-9a0859d5f7ad)
remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings (c8343d2f-fdc9-4a97-b76f-fc71d1163bfc)
remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings (aeb23562-188d-47cb-80b8-551f16ef9fff)
2020-06-11 19:46:04 add Policy Non-internet-facing virtual machines should be protected with network security groups (bb91dfba-c30d-4263-9add-9c2384e659a6)
remove Policy All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace (a1817ec0-a368-432a-8057-8371e17ac6ee)
remove Policy All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace (b278e460-7cfc-4451-8294-cccc40a940d7)
remove Policy Authorization rules on the Event Hub instance should be defined (f4826e5f-6a27-407c-ae3e-9582eb39891d)
2020-05-29 15:39:26 add Policy [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines (842c54e8-c2f9-4d79-ae8d-38d8b8019373)
add Policy Allowlist rules in your adaptive application control policy should be updated (123a3936-f020-408a-ba0c-47873faf1534)
add Policy [Preview]: Certificates should have the specified maximum validity period (0a075868-4c26-42ef-914c-5bc007359560)
add Policy [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines (d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e)
2020-04-22 04:43:14 add Policy Windows Defender Exploit Guard should be enabled on your machines (bed48b13-6647-468e-aa2f-1af1d3f4dd40)
add Policy [Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled (5fc23db3-dd4d-4c56-bcc7-43626243e601)
add Policy [Preview]: All Internet traffic should be routed via your deployed Azure Firewall (fc5e4038-4584-4632-8c85-c0448d374b2c)
2020-03-10 16:29:48 Name change: '[Preview]: Enable Monitoring in Azure Security Center' to 'Enable Monitoring in Azure Security Center'
2020-02-20 08:25:18 remove Policy [Deprecated]: Access to App Services should be restricted (1a833ff1-d297-4a0f-9944-888428f8e0ff)
remove Policy [Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM (201ea587-7c90-41c3-910f-c280ae01cfd6)
2019-12-04 08:49:52 remove Policy Metric alert rules should be configured on Batch accounts (26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7)
2019-11-27 16:13:13 add Policy [Preview]: Network traffic data collection agent should be installed on Linux virtual machines (04c4380f-3fae-46e8-96c9-30193528f602)
add Policy [Preview]: Network traffic data collection agent should be installed on Windows virtual machines (2f2ee1de-44aa-4762-b6bd-0893fc3f306d)
2019-10-29 23:53:40 add Policy Managed identity should be used in your API App (c4d441f8-f9d9-4a9e-9cef-e82117cb3eef)
add Policy Latest TLS version should be used in your Function App (f9d614c5-c173-4d56-95a7-b4437057d193)
add Policy Latest TLS version should be used in your API App (8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e)
add Policy FTPS should be required in your Web App (4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b)
add Policy Latest TLS version should be used in your Web App (f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b)
add Policy FTPS only should be required in your API App (9a1b8c48-453a-4044-86c3-d8bfd823e4f5)
add Policy Managed identity should be used in your Web App (2b9ad585-36bc-4615-b300-fd4435808332)
add Policy Managed identity should be used in your Function App (0da106f2-4ca3-48e8-bc85-c638fe6aea8f)
add Policy FTPS only should be required in your Function App (399b2637-a50f-4f95-96f8-3a145476eb15)
Policy count Total Policies: 205
Builtin Policies: 205
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Effect State
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall fc5e4038-4584-4632-8c85-c0448d374b2c Network Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed 8dfab9c4-fe7b-49ad-85e4-1e9be085358f Kubernetes Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Azure Key Vault should disable public network access 55615ac9-af46-4a59-874e-391cc3dfb490 Key Vault Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
[Preview]: Azure Kubernetes Service clusters should have Azure Defender profile enabled a1840de2-8088-4ea8-b153-b4c723e9cb01 Kubernetes Default: Audit
Allowed: (Audit, Disabled)
Preview
[Preview]: Certificates should have the specified maximum validity period 0a075868-4c26-42ef-914c-5bc007359560 Key Vault Default: audit
Allowed: (audit, deny, disabled)
Preview
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets a21f8c92-9e22-4f09-b759-50500d1d2dda Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines 1cb4d9c2-f88f-4069-bee0-dba239a57b09 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets f655e522-adff-494d-95c2-52d4f6d56a42 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Linux machines should meet requirements for the Azure compute security baseline fc9b3da7-8347-4380-8e70-0a0361d8dedd Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines 842c54e8-c2f9-4d79-ae8d-38d8b8019373 Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines 04c4380f-3fae-46e8-96c9-30193528f602 Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines 2f2ee1de-44aa-4762-b6bd-0893fc3f306d Monitoring Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Private endpoint should be configured for Key Vault 5f0bc445-3935-4915-9981-011aa2b46147 Key Vault Default: Audit
Allowed: (Audit, Deny, Disabled)
Preview
[Preview]: Secure Boot should be enabled on supported Windows virtual machines 97566dd7-78ae-4997-8b36-1c7bfe0d8121 Security Center Default: Audit
Allowed: (Audit, Disabled)
Preview
[Preview]: Sensitive data in your SQL databases should be classified cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
[Preview]: Storage account public access should be disallowed 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 Storage Default: audit
Allowed: (audit, deny, disabled)
Preview
[Preview]: vTPM should be enabled on supported virtual machines 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 Security Center Default: Audit
Allowed: (Audit, Disabled)
Preview
[Preview]: Windows machines should meet requirements of the Azure compute security baseline 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Preview
A maximum of 3 owners should be designated for your subscription 4f11b553-d42e-4e3a-89be-32ca364cad4c Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
A vulnerability assessment solution should be enabled on your virtual machines 501541f7-f7e7-4cd6-868c-4190fdad3ac9 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Adaptive application controls for defining safe applications should be enabled on your machines 47a6b606-51aa-4496-8bb7-64b11cf66adc Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Adaptive network hardening recommendations should be applied on internet facing virtual machines 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
All network ports should be restricted on network security groups associated to your virtual machine 9daedab3-fb2d-461e-b861-71790eead4f6 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Allowlist rules in your adaptive application control policy should be updated 123a3936-f020-408a-ba0c-47873faf1534 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
An Azure Active Directory administrator should be provisioned for SQL servers 1f314764-cb73-4fc9-b863-8eca98ac36e9 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
API App should only be accessible over HTTPS b7ddfbdc-1260-477d-91fd-98bd9be789a6 App Service Default: Audit
Allowed: (Audit, Disabled)
GA
API Management services should use a virtual network ef619a2c-cc4d-4d03-b2ba-8c94a834d85b API Management Default: Audit
Allowed: (Audit, Disabled)
GA
App Configuration should use private link ca610c1d-041c-4332-9d88-7ed3094967c7 App Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Audit usage of custom RBAC rules a451c1ef-c6ca-483d-87ed-f49761e3ffb5 General Default: Audit
Allowed: (Audit, Disabled)
GA
Auditing on SQL server should be enabled a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Authentication to Linux machines should require SSH keys 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Authorized IP ranges should be defined on Kubernetes Services 0e246bcf-5f6f-4f87-bc6f-775d4712c7ea Security Center Default: Audit
Allowed: (Audit, Disabled)
GA
Auto provisioning of the Log Analytics agent should be enabled on your subscription 475aae12-b88a-4572-8b36-9b712b2b3a17 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Automation account variables should be encrypted 3657f5a0-770e-44a3-b44e-9431ba1e9735 Automation Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Azure Backup should be enabled for Virtual Machines 013e242c-8828-4970-87b3-ab247555486d Backup Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Cache for Redis should reside within a virtual network 7d092e0a-7acd-40d2-a975-dca21cae48c4 Cache Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Azure Cosmos DB accounts should have firewall rules 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb Cosmos DB Default: Deny
Allowed: (Audit, Deny, Disabled)
GA
Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest 1f905d99-2ab7-462c-a6b0-f709acca6c8f Cosmos DB Default: audit
Allowed: (audit, deny, disabled)
GA
Azure DDoS Protection Standard should be enabled a7aca53f-2ed4-4466-a25e-0b45ade68efd Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for App Service should be enabled 2913021d-f2fd-4f3d-b958-22354e2bdbcb Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for Azure SQL Database servers should be enabled 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for container registries should be enabled c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for DNS should be enabled bdc59948-5574-49b3-bb91-76b7c986428d Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for Key Vault should be enabled 0e6763cc-5078-4e64-889d-ff4d9a839047 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for Kubernetes should be enabled 523b5cd1-3e23-492f-a539-13118b6d1e3a Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for open-source relational databases should be enabled 0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for Resource Manager should be enabled c3d20c29-b36d-48fe-808b-99a87530ad99 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for servers should be enabled 4da35fc9-c9e7-4960-aec9-797fe7d9051d Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for SQL servers on machines should be enabled 6581d072-105e-4418-827f-bd446d56421b Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for SQL should be enabled for unprotected Azure SQL servers abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Defender for Storage should be enabled 308fbb08-4ab8-4e67-9b29-592e93fb94fa Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Azure Event Grid domains should use private link 9830b652-8523-49cc-b1b3-e17dce1127ca Event Grid Default: Audit
Allowed: (Audit, Disabled)
GA
Azure Event Grid topics should use private link 4b90e17e-8448-49db-875e-bd83fb6f804f Event Grid Default: Audit
Allowed: (Audit, Disabled)
GA
Azure Machine Learning workspaces should be encrypted with a customer-managed key ba769a63-b8cc-4b2d-abf6-ac33c7204be8 Machine Learning Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Azure Machine Learning workspaces should use private link 40cec1dd-a100-4920-b15b-3024fe8901ab Machine Learning Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters 0a15ec92-a229-4763-bb14-0ea34a568f8d Kubernetes Default: Audit
Allowed: (Audit, Disabled)
GA
Azure SignalR Service should use private link 53503636-bcc9-4748-9663-5348217f160f SignalR Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Azure Spring Cloud should use network injection af35e2a4-ef96-44e7-a9ae-853dd97032c4 App Platform Default: Audit
Allowed: (Audit, Disabled, Deny)
GA
Cognitive Services accounts should disable public network access 0725b4dd-7e76-479c-a735-68e7ee23d5ca Cognitive Services Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Cognitive Services accounts should enable data encryption with a customer-managed key 67121cc7-ff39-4ab8-b7e3-95b84dab487d Cognitive Services Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Cognitive Services accounts should restrict network access 037eea7a-bd0a-46c5-9a66-03aea78705d3 Cognitive Services Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Container registries should be encrypted with a customer-managed key 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580 Container Registry Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Container registries should not allow unrestricted network access d0793b48-0edc-4296-a390-4c75d1bdfd71 Container Registry Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Container registries should use private link e8eef0a8-67cf-4eb4-9386-14b0e78733d4 Container Registry Default: Audit
Allowed: (Audit, Disabled)
GA
CORS should not allow every resource to access your API App 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
CORS should not allow every resource to access your Function Apps 0820b7b9-23aa-4725-a1ce-ae4558f718e5 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
CORS should not allow every resource to access your Web Applications 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Deprecated accounts should be removed from your subscription 6b1cbf55-e8b6-442f-ba4c-7246b6381474 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Deprecated accounts with owner permissions should be removed from your subscription ebb62a0c-3560-49e1-89ed-27e074e9f8ad Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Diagnostic logs in App Services should be enabled b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Email notification for high severity alerts should be enabled 6e2593d9-add6-4083-9c9b-4b7d2188c899 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Email notification to subscription owner for high severity alerts should be enabled 0b15565f-aa9e-48ba-8619-45960f2c314d Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Endpoint protection health issues should be resolved on your machines 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Endpoint protection should be installed on your machines 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Endpoint protection solution should be installed on virtual machine scale sets 26a828e1-e88f-464e-bbb3-c134a282b9de Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Enforce SSL connection should be enabled for MySQL database servers e802a67a-daf5-4436-9ea6-f6d821dd0c5d SQL Default: Audit
Allowed: (Audit, Disabled)
GA
Enforce SSL connection should be enabled for PostgreSQL database servers d158790f-bfb0-486c-8631-2dc6b4e8e6af SQL Default: Audit
Allowed: (Audit, Disabled)
GA
Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On' 0c192fe8-9cbb-4516-85b3-0ade8bd03886 App Service Default: Audit
Allowed: (Audit, Disabled)
GA
Ensure that 'Java version' is the latest, if used as a part of the API app 88999f4c-376a-45c8-bcb3-4058f713cf39 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Ensure that 'Java version' is the latest, if used as a part of the Function app 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Ensure that 'Java version' is the latest, if used as a part of the Web app 496223c3-ad65-4ecd-878a-bae78737e9ed App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Ensure that 'PHP version' is the latest, if used as a part of the API app 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Ensure that 'PHP version' is the latest, if used as a part of the WEB app 7261b898-8a84-4db8-9e04-18527132abb3 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Ensure that 'Python version' is the latest, if used as a part of the API app 74c3584d-afae-46f7-a20a-6f8adba71a16 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Ensure that 'Python version' is the latest, if used as a part of the Function app 7238174a-fd10-4ef0-817e-fc820a951d73 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Ensure that 'Python version' is the latest, if used as a part of the Web app 7008174a-fd10-4ef0-817e-fc820a951d73 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On' 5bb220d9-2698-4ee4-8404-b9c30c9df609 App Service Default: Audit
Allowed: (Audit, Disabled)
GA
External accounts with owner permissions should be removed from your subscription f8456c1c-aa66-4dfb-861a-25d127b775c9 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
External accounts with read permissions should be removed from your subscription 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
External accounts with write permissions should be removed from your subscription 5c607a2e-c700-4744-8254-d77e7c9eb5e4 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
FTPS only should be required in your API App 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
FTPS only should be required in your Function App 399b2637-a50f-4f95-96f8-3a145476eb15 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
FTPS should be required in your Web App 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Function App should only be accessible over HTTPS 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab App Service Default: Audit
Allowed: (Audit, Disabled)
GA
Function apps should have 'Client Certificates (Incoming client certificates)' enabled eaebaea7-8013-4ceb-9d14-7eb32271373c App Service Default: Audit
Allowed: (Audit, Disabled)
GA
Geo-redundant backup should be enabled for Azure Database for MariaDB 0ec47710-77ff-4a3d-9181-6aa50af424d0 SQL Default: Audit
Allowed: (Audit, Disabled)
GA
Geo-redundant backup should be enabled for Azure Database for MySQL 82339799-d096-41ae-8538-b108becf0970 SQL Default: Audit
Allowed: (Audit, Disabled)
GA
Geo-redundant backup should be enabled for Azure Database for PostgreSQL 48af4db5-9b8b-401c-8e74-076be876a430 SQL Default: Audit
Allowed: (Audit, Disabled)
GA
Guest Configuration extension should be installed on your machines ae89ebca-1c92-4898-ac2c-9f63decb045c Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Internet-facing virtual machines should be protected with network security groups f6de0be7-9a8a-4b8a-b349-43cf02d22f7c Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
IP Forwarding on your virtual machine should be disabled bd352bd5-2853-4985-bf0d-73806b4a5744 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Key Vault keys should have an expiration date 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 Key Vault Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Key Vault secrets should have an expiration date 98728c90-32c7-4049-8429-847dc0f4fe37 Key Vault Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Key vaults should have purge protection enabled 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 Key Vault Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Key vaults should have soft delete enabled 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d Key Vault Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes cluster containers should not share host process ID or host IPC namespace 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes cluster containers should only listen on allowed ports 440b515e-a580-421e-abeb-b159a61ddcbc Kubernetes Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes cluster containers should only use allowed AppArmor profiles 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes cluster containers should only use allowed capabilities c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes cluster containers should only use allowed images febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes cluster containers should run with a read only root file system df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes cluster pod hostPath volumes should only use allowed host paths 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes cluster pods and containers should only run with approved user and group IDs f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes cluster pods should only use approved host network and port range 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes cluster services should listen only on allowed ports 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes cluster should not allow privileged containers 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes clusters should be accessible only over HTTPS 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes Default: deny
Allowed: (audit, deny, disabled)
GA
Kubernetes clusters should disable automounting API credentials 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes clusters should gate deployment of vulnerable images 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 Kubernetes Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Kubernetes clusters should not allow container privilege escalation 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes Default: audit
Allowed: (audit, deny, disabled)
GA
Kubernetes clusters should not use the default namespace 9f061a12-e40d-4183-a00e-171812443373 Kubernetes Default: audit
Allowed: (audit, deny, disabled)
GA
Latest TLS version should be used in your API App 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Latest TLS version should be used in your Function App f9d614c5-c173-4d56-95a7-b4437057d193 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Latest TLS version should be used in your Web App f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Log Analytics agent health issues should be resolved on your machines d62cfe2b-3ab0-4d41-980d-76803b58ca65 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring a4fe33eb-e377-4efb-ab31-0784311bc499 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring a3a6ea0c-e018-4933-9ef0-5aaa1501449b Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Managed identity should be used in your API App c4d441f8-f9d9-4a9e-9cef-e82117cb3eef App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Managed identity should be used in your Function App 0da106f2-4ca3-48e8-bc85-c638fe6aea8f App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Managed identity should be used in your Web App 2b9ad585-36bc-4615-b300-fd4435808332 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Management ports of virtual machines should be protected with just-in-time network access control b0f33259-77d7-4c9e-aac6-3aabcfae693c Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Management ports should be closed on your virtual machines 22730e10-96f6-4aac-ad84-9383d35b5917 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
MFA should be enabled accounts with write permissions on your subscription 9297c21d-2ed6-4474-b48f-163f75654ce3 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
MFA should be enabled on accounts with owner permissions on your subscription aa633080-8b72-40c4-a2d7-d00c03e80bed Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
MFA should be enabled on accounts with read permissions on your subscription e3576e28-8b17-4677-84c3-db2990658d64 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Monitor missing Endpoint Protection in Azure Security Center af6cd1bd-1635-48cb-bde7-5b15693900b9 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
MySQL servers should use customer-managed keys to encrypt data at rest 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Network Watcher should be enabled b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 Network Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Non-internet-facing virtual machines should be protected with network security groups bb91dfba-c30d-4263-9add-9c2384e659a6 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Only secure connections to your Azure Cache for Redis should be enabled 22bee202-a82f-4305-9a2a-6d7f44d4dedb Cache Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
PostgreSQL servers should use customer-managed keys to encrypt data at rest 18adea5e-f416-4d0f-8aa8-d24321e3e274 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Private endpoint connections on Azure SQL Database should be enabled 7698e800-9299-47a6-b3b6-5a0fee576eed SQL Default: Audit
Allowed: (Audit, Disabled)
GA
Private endpoint should be enabled for MariaDB servers 0a1302fb-a631-4106-9753-f3d494733990 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Private endpoint should be enabled for MySQL servers 7595c971-233d-4bcf-bd18-596129188c49 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Private endpoint should be enabled for PostgreSQL servers 0564d078-92f5-4f97-8398-b9f58a51f70b SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Public network access on Azure SQL Database should be disabled 1b8ca024-1d5c-4dec-8995-b1a932b41780 SQL Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Public network access should be disabled for MariaDB servers fdccbe47-f3e3-4213-ad5d-ea459b2fa077 SQL Default: Audit
Allowed: (Audit, Disabled)
GA
Public network access should be disabled for MySQL servers d9844e8a-1437-4aeb-a32c-0c992f056095 SQL Default: Audit
Allowed: (Audit, Disabled)
GA
Public network access should be disabled for PostgreSQL servers b52376f7-9612-48a1-81cd-1ffe4b61032c SQL Default: Audit
Allowed: (Audit, Disabled)
GA
Remote debugging should be turned off for API Apps e9c8d085-d9cc-4b17-9cdc-059f1f01f19e App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Remote debugging should be turned off for Function Apps 0e60b895-3786-45da-8377-9c6b4b6ac5f9 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Remote debugging should be turned off for Web Applications cb510bfd-1cba-4d9f-a230-cb0976f4bb71 App Service Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Azure Data Lake Store should be enabled 057ef27e-665e-4328-8ea3-04b3122bd9fb Data Lake Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Azure Kubernetes Service should be enabled 245fc9df-fa96-4414-9a0b-3738c2f7341c Kubernetes Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Azure Stream Analytics should be enabled f9be5368-9bf5-4b84-9e0a-7850da98bb46 Stream Analytics Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Batch accounts should be enabled 428256e6-1fac-4f48-a757-df34c2b3336d Batch Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Data Lake Analytics should be enabled c95c74d9-38fe-4f0d-af86-0c7d626a315c Data Lake Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Event Hub should be enabled 83a214f7-d01a-484b-91a9-ed54470c9a6a Event Hub Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in IoT Hub should be enabled 383856f8-de7f-44a2-81fc-e5135b5c2aa4 Internet of Things Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Key Vault should be enabled cf820ca0-f99e-4f3e-84fb-66e913812d21 Key Vault Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Logic Apps should be enabled 34f95f76-5386-4de7-b824-0d8478470c9d Logic Apps Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Search services should be enabled b4330a05-a843-4bc8-bf9a-cacce50c67f4 Search Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Service Bus should be enabled f8d36e2f-389b-4ee4-898d-21aeb69a0f45 Service Bus Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Resource logs in Virtual Machine Scale Sets should be enabled 7c1b1214-f927-48bf-8882-84f0af6588b1 Compute Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Role-Based Access Control (RBAC) should be used on Kubernetes Services ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Security Center Default: Audit
Allowed: (Audit, Disabled)
GA
Secure transfer to storage accounts should be enabled 404c3081-a854-4457-ae30-26a93ef643f9 Storage Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign 617c02be-7f02-4efd-8836-3180d47b6c68 Service Fabric Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Service Fabric clusters should only use Azure Active Directory for client authentication b54ed75b-3e1a-44ac-a333-05ba39b99ff0 Service Fabric Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Service principals should be used to protect your subscriptions instead of management certificates 6646a0bd-e110-40ca-bb97-84fcee63c414 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL databases should have vulnerability findings resolved feedbf84-6b99-488c-acc2-71c829aa5ffc Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL managed instances should use customer-managed keys to encrypt data at rest 048248b0-55cd-46da-b1ff-39efd52db260 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL servers on machines should have vulnerability findings resolved 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL servers should use customer-managed keys to encrypt data at rest 0d134df8-db83-46fb-ad72-fe0c9428c8dd SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 89099bee-89e0-4b26-a5f4-165451757743 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Storage accounts should be migrated to new Azure Resource Manager resources 37e0d2fe-28a5-43d6-a273-67d37d1f5606 Storage Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Storage accounts should restrict network access 34c877ad-507e-4c82-993e-3452a6e0ad3c Storage Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Storage accounts should restrict network access using virtual network rules 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f Storage Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Storage accounts should use customer-managed key for encryption 6fac406b-40ca-413b-bf8e-0bf964659c25 Storage Default: Audit
Allowed: (Audit, Disabled)
GA
Storage accounts should use private link 6edd7eda-6dd8-40f7-810d-67160c639cd9 Storage Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Subnets should be associated with a Network Security Group e71308d3-144b-4262-b144-efdc3cc90517 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Subscriptions should have a contact email address for security issues 4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
System updates on virtual machine scale sets should be installed c3f317a7-a95c-4547-b7e7-11017ebdf2fe Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
System updates should be installed on your machines 86b3d65f-7626-441e-b690-81a8b71cff60 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
There should be more than one owner assigned to your subscription 09024ccc-0c5f-475e-9457-b7c0d9ed487b Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Transparent Data Encryption on SQL databases should be enabled 17k78e20-9358-41c9-923c-fb736d382a12 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity d26f7642-7545-4e18-9b75-8c9bbdee3a9a Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Virtual machines should be migrated to new Azure Resource Manager resources 1d84d5fb-01f6-4d12-ba4f-4a26081d403d Compute Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 0961003e-5a0a-4549-abde-af6a37f2724d Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
VM Image Builder templates should use private link 2154edb9-244f-4741-9970-660785bccdaa VM Image Builder Default: Audit
Allowed: (Audit, Disabled, Deny)
GA
Vulnerabilities in Azure Container Registry images should be remediated 5f0f936f-2f01-4bf5-b6be-d423792fa562 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Vulnerabilities in container security configurations should be remediated e8cbc669-f12d-49eb-93e7-9273119e9933 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Vulnerabilities in security configuration on your machines should be remediated e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Vulnerabilities in security configuration on your virtual machine scale sets should be remediated 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 Security Center Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Vulnerability assessment should be enabled on SQL Managed Instance 1b7aa243-30e4-4c9e-bca8-d0d3022b634a SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Vulnerability assessment should be enabled on your SQL servers ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 SQL Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Web Application Firewall (WAF) should be enabled for Application Gateway 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 Network Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Web Application Firewall (WAF) should be enabled for Azure Front Door Service service 055aa869-bc98-4af8-bafc-23f1ab6ffe2c Network Default: Audit
Allowed: (Audit, Deny, Disabled)
GA
Web Application should only be accessible over HTTPS a4af4a39-4135-47fb-b175-47fbdf85311d App Service Default: Audit
Allowed: (Audit, Disabled)
GA
Windows Defender Exploit Guard should be enabled on your machines bed48b13-6647-468e-aa2f-1af1d3f4dd40 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
Windows web servers should be configured to use secure communication protocols 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Guest Configuration Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
GA
JSON
{
  "displayName": "Azure Security Benchmark",
  "policyType": "BuiltIn",
  "description": "The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.",
  "metadata": {
    "version": "32.0.0",
    "category": "Security Center"
  },
  "parameters": {
    "useServicePrincipalToProtectSubscriptionsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Service principals should be used to protect your subscriptions instead of management certificates",
        "description": "Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "updateOsVersionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Operating system version should be the most current version for your cloud service roles",
        "description": "Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture.",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "resolveLogAnalyticsHealthIssuesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Log Analytics agent health issues should be resolved on your machines",
        "description": "Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "installLogAnalyticsAgentOnVmMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring",
        "description": "This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "installLogAnalyticsAgentOnVmssMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring",
        "description": "Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "certificatesValidityPeriodMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Manage certificate validity period",
        "description": "Enable or disable manage certificate validity period."
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "disabled"
    },
    "certificatesValidityPeriodInMonths": {
      "type": "Integer",
      "metadata": {
        "displayName": "The maximum validity period in months of managed certificate",
        "description": "The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren't best practice."
      },
      "defaultValue": 12
    },
    "secretsExpirationSetEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Key Vault secrets should have expiration dates set",
        "description": "Enable or disable key vault secrets should have expiration dates set."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "keysExpirationSetEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Key Vault keys should have expiration dates set",
        "description": "Enable or disable key vault keys should have expiration dates set."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "azurePolicyforWindowsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Guest Configuration extension should be installed on virtual machines",
        "description": "Enable or disable virtual machines reporting that the Guest Configuration extension should be installed"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "gcExtOnVMWithNoSAMIMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity",
        "description": "Enable or disable Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "windowsDefenderExploitGuardMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Windows Defender Exploit Guard should be enabled on your Windows virtual machines",
        "description": "Enable or disable virtual machines reporting that Windows Defender Exploit Guard is enabled"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "windowsGuestConfigBaselinesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Config)",
        "description": "Enable or disable virtual machines reporting Windows Baselines in Guest Config"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "linuxGuestConfigBaselinesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Config)",
        "description": "Enable or disable virtual machines reporting Linux Baselines in Guest Config"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "vmssSystemUpdatesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "System updates on virtual machine scale sets should be installed",
        "description": "Enable or disable virtual machine scale sets reporting of system updates"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "vmssEndpointProtectionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Endpoint protection solution should be installed on virtual machine scale sets",
        "description": "Enable or disable virtual machine scale sets endpoint protection monitoring"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "vmssOsVulnerabilitiesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated",
        "description": "Enable or disable virtual machine scale sets OS vulnerabilities monitoring"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "systemUpdatesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "System updates should be installed on your machines",
        "description": "Enable or disable reporting of system updates"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "systemConfigurationsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Vulnerabilities in security configuration on your machines should be remediated",
        "description": "Enable or disable OS vulnerabilities monitoring (based on a configured baseline)"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "endpointProtectionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Monitor missing Endpoint Protection in Azure Security Center",
        "description": "Enable or disable endpoint protection monitoring"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diskEncryptionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources",
        "description": "Enable or disable the monitoring for VM disk encryption"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "networkSecurityGroupsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor network security groups",
        "description": "Enable or disable monitoring of network security groups with permissive rules",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "networkSecurityGroupsOnSubnetsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Network Security Groups on the subnet level should be enabled",
        "description": "Enable or disable monitoring of NSGs on subnets"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "networkSecurityGroupsOnVirtualMachinesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Internet-facing virtual machines should be protected with network security groups",
        "description": "Enable or disable monitoring of NSGs on VMs"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "networkSecurityGroupsOnInternalVirtualMachinesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Non-internet-facing virtual machines should be protected with network security groups",
        "description": "Enable or disable monitoring of NSGs on VMs"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "webApplicationFirewallMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM",
        "description": "Enable or disable the monitoring of unprotected web applications",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "nextGenerationFirewallMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "All network ports should be restricted on network security groups associated to your virtual machine",
        "description": "Enable or disable overly permissive inbound NSG rules monitoring."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "vulnerabilityAssesmentMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution",
        "description": "Enable or disable the detection of VM vulnerabilities by a vulnerability assessment solution",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "serverVulnerabilityAssessmentEffect": {
      "type": "String",
      "metadata": {
        "displayName": "A vulnerability assessment solution should be enabled on your virtual machines",
        "description": "Enable or disable the detection of virtual machine vulnerabilities by Azure Security Center vulnerability assessment"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "storageEncryptionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Audit missing blob encryption for storage accounts",
        "description": "Enable or disable the monitoring of blob encryption for storage accounts",
        "deprecated": true
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "jitNetworkAccessMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Management ports of virtual machines should be protected with just-in-time network access control",
        "description": "Enable or disable the monitoring of network just-in-time access"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "adaptiveApplicationControlsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Adaptive application controls for defining safe applications should be enabled on your machines",
        "description": "Enable or disable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "adaptiveApplicationControlsUpdateMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Allowlist rules in your adaptive application control policy should be updated",
        "description": "Enable or disable the monitoring for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "sqlAuditingMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor unaudited SQL servers in Azure Security Center",
        "description": "Enable or disable the monitoring of unaudited SQL databases",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "sqlEncryptionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor unencrypted SQL databases in Azure Security Center",
        "description": "Enable or disable the monitoring of unencrypted SQL databases",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "sqlDbEncryptionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Transparent Data Encryption on SQL databases should be enabled",
        "description": "Enable or disable the monitoring of unencrypted SQL databases"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "sqlServerAuditingMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Auditing should be enabled on advanced data security settings on SQL Server",
        "description": "Enable or disable the monitoring of unaudited SQL Servers"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "sqlServerAuditingActionsAndGroupsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: SQL Auditing settings should have Action-Groups configured to capture critical activities",
        "description": "Enable or disable the monitoring of auditing policy Action-Groups and Actions setting",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "SqlServerAuditingRetentionDaysMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: SQL servers should be configured with auditing retention days greater than 90 days",
        "description": "Enable or disable the monitoring of SQL servers with auditing retention period less than 90",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "diagnosticsLogsInAppServiceMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor resource logs in Azure App Services",
        "description": "Enable or disable the monitoring of resource logs in Azure App Services",
        "deprecated": true
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "diagnosticsLogsInSelectiveAppServicesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Resource logs in App Services should be enabled",
        "description": "Enable or disable the monitoring of resource logs in Azure App Services",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "encryptionOfAutomationAccountMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Automation account variables should be encrypted",
        "description": "Enable or disable the monitoring of automation account encryption"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "diagnosticsLogsInBatchAccountMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Resource logs in Batch accounts should be enabled",
        "description": "Enable or disable the monitoring of resource logs in Batch accounts"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diagnosticsLogsInBatchAccountRetentionDays": {
      "type": "String",
      "metadata": {
        "displayName": "Required retention (in days) for logs in Batch accounts",
        "description": "The required resource logs retention period in days"
      },
      "defaultValue": "1"
    },
    "metricAlertsInBatchAccountMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Metric alert rules should be configured on Batch accounts",
        "description": "Enable or disable the monitoring of metric alerts in Batch accounts",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "classicComputeVMsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Virtual machines should be migrated to new Azure Resource Manager resources",
        "description": "Enable or disable the monitoring of classic compute VMs"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "classicStorageAccountsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Storage accounts should be migrated to new Azure Resource Manager resources",
        "description": "Enable or disable the monitoring of classic storage accounts"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "diagnosticsLogsInDataLakeAnalyticsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Resource logs in Data Lake Analytics should be enabled",
        "description": "Enable or disable the monitoring of resource logs in Data Lake Analytics accounts"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diagnosticsLogsInDataLakeAnalyticsRetentionDays": {
      "type": "String",
      "metadata": {
        "displayName": "Required retention (in days) of logs in Data Lake Analytics accounts",
        "description": "The required resource logs retention period in days"
      },
      "defaultValue": "1"
    },
    "diagnosticsLogsInDataLakeStoreMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Resource logs in Azure Data Lake Store should be enabled",
        "description": "Enable or disable the monitoring of resource logs in Data Lake Store accounts"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diagnosticsLogsInDataLakeStoreRetentionDays": {
      "type": "String",
      "metadata": {
        "displayName": "Required retention (in days) of logs in Data Lake Store accounts",
        "description": "The required resource logs retention period in days"
      },
      "defaultValue": "1"
    },
    "diagnosticsLogsInEventHubMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Resource logs in Event Hub should be enabled",
        "description": "Enable or disable the monitoring of resource logs in Event Hub accounts"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diagnosticsLogsInEventHubRetentionDays": {
      "type": "String",
      "metadata": {
        "displayName": "Required retention (in days) of logs in Event Hub accounts",
        "description": "The required resource logs retention period in days"
      },
      "defaultValue": "1"
    },
    "diagnosticsLogsInKeyVaultMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Resource logs in Key Vault should be enabled",
        "description": "Enable or disable the monitoring of resource logs in Key Vault vaults"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diagnosticsLogsInKeyVaultRetentionDays": {
      "type": "String",
      "metadata": {
        "displayName": "Required retention (in days) of logs in Key Vault vaults",
        "description": "The required resource logs retention period in days"
      },
      "defaultValue": "1"
    },
    "diagnosticsLogsInKubernetesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Resource logs in Azure Kubernetes Service should be enabled",
        "description": "Enable or disable the monitoring of resource logs in Kubernetes managed clusters. Enabling Azure Kubernetes Service's resource logs can help recreate activity trails when investigating future security incidents"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diagnosticsLogsInKubernetesRetentionDays": {
      "type": "String",
      "metadata": {
        "displayName": "Required retention (in days) of logs in Kubernetes managed clusters",
        "description": "The required resource logs retention period in days"
      },
      "defaultValue": "1"
    },
    "diagnosticsLogsInLogicAppsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Resource logs in Logic Apps should be enabled",
        "description": "Enable or disable the monitoring of resource logs in Logic Apps workflows"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diagnosticsLogsInLogicAppsRetentionDays": {
      "type": "String",
      "metadata": {
        "displayName": "Required retention (in days) of logs in Logic Apps workflows",
        "description": "The required resource logs retention period in days"
      },
      "defaultValue": "1"
    },
    "diagnosticsLogsInRedisCacheMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Only secure connections to your Redis Cache should be enabled",
        "description": "Enable or disable the monitoring of resource logs in Azure Redis Cache"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "diagnosticsLogsInSearchServiceMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Resource logs in Search services should be enabled",
        "description": "Enable or disable the monitoring of resource logs in Azure Search service"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diagnosticsLogsInSearchServiceRetentionDays": {
      "type": "String",
      "metadata": {
        "displayName": "Required retention (in days) of logs in Azure Search service",
        "description": "The required resource logs retention period in days"
      },
      "defaultValue": "1"
    },
    "aadAuthenticationInServiceFabricMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Service Fabric clusters should only use Azure Active Directory for client authentication",
        "description": "Enable or disable the monitoring of Azure Active Directory for client authentication in Service Fabric"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "clusterProtectionLevelInServiceFabricMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign",
        "description": "Enable or disable the monitoring of cluster protection level in Service Fabric"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "diagnosticsLogsInServiceBusMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Resource logs in Service Bus should be enabled",
        "description": "Enable or disable the monitoring of resource logs in Service Bus"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diagnosticsLogsInServiceBusRetentionDays": {
      "type": "String",
      "metadata": {
        "displayName": "Required retention (in days) of logs in Service Bus",
        "description": "The required resource logs retention period in days"
      },
      "defaultValue": "1"
    },
    "namespaceAuthorizationRulesInServiceBusMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace",
        "description": "Enable or disable the monitoring of Service Bus namespace authorization rules",
        "deprecated": true
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "aadAuthenticationInSqlServerMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "An Azure Active Directory administrator should be provisioned for SQL servers",
        "description": "Enable or disable the monitoring of an Azure AD admininistrator for SQL server"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "secureTransferToStorageAccountMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Secure transfer to storage accounts should be enabled",
        "description": "Enable or disable the monitoring of secure transfer to storage account"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "diagnosticsLogsInStreamAnalyticsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Resource logs in Azure Stream Analytics should be enabled",
        "description": "Enable or disable the monitoring of resource logs in Stream Analytics"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diagnosticsLogsInStreamAnalyticsRetentionDays": {
      "type": "String",
      "metadata": {
        "displayName": "Required retention (in days) of logs in Stream Analytics",
        "description": "The required resource logs retention period in days"
      },
      "defaultValue": "1"
    },
    "useRbacRulesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Audit usage of custom RBAC rules",
        "description": "Enable or disable the monitoring of using built-in RBAC rules"
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "disableUnrestrictedNetworkToStorageAccountMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Audit unrestricted network access to storage accounts",
        "description": "Enable or disable the monitoring of network access to storage account"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "diagnosticsLogsInServiceFabricMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Resource logs in Virtual Machine Scale Sets should be enabled",
        "description": "Enable or disable the monitoring of resource logs in Service Fabric"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "accessRulesInEventHubNamespaceMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace",
        "description": "Enable or disable the monitoring of access rules in Event Hub namespaces",
        "deprecated": true
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "accessRulesInEventHubMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Authorization rules on the Event Hub instance should be defined",
        "description": "Enable or disable the monitoring of access rules in Event Hubs",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "sqlDbVulnerabilityAssesmentMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "SQL databases should have vulnerability findings resolved",
        "description": "Enable or disable the monitoring of vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "serverSqlDbVulnerabilityAssesmentMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "SQL servers on machines should have vulnerability findings resolved",
        "description": "SQL Vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "sqlDbDataClassificationMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Sensitive data in your SQL databases should be classified",
        "description": "Enable or disable the monitoring of sensitive data classification in databases."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "identityDesignateLessThanOwnersMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "A maximum of 3 owners should be designated for your subscription",
        "description": "Enable or disable the monitoring of maximum owners in subscription"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "identityDesignateMoreThanOneOwnerMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "There should be more than one owner assigned to your subscription",
        "description": "Enable or disable the monitoring of minimum owners in subscription"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "identityEnableMFAForOwnerPermissionsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "MFA should be enabled on accounts with owner permissions on your subscription",
        "description": "Enable or disable the monitoring of MFA for accounts with owner permissions in subscription"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "identityEnableMFAForWritePermissionsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "MFA should be enabled accounts with write permissions on your subscription",
        "description": "Enable or disable the monitoring of MFA for accounts with write permissions in subscription"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "identityEnableMFAForReadPermissionsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "MFA should be enabled on accounts with read permissions on your subscription",
        "description": "Enable or disable the monitoring of MFA for accounts with read permissions in subscription"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Deprecated accounts with owner permissions should be removed from your subscription",
        "description": "Enable or disable the monitoring of deprecated acounts with owner permissions in subscription"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "identityRemoveDeprecatedAccountMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Deprecated accounts should be removed from your subscription",
        "description": "Enable or disable the monitoring of deprecated acounts in subscription"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "External accounts with owner permissions should be removed from your subscription",
        "description": "Enable or disable the monitoring of external acounts with owner permissions in subscription"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "External accounts with write permissions should be removed from your subscription",
        "description": "Enable or disable the monitoring of external acounts with write permissions in subscription"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "External accounts with read permissions should be removed from your subscription",
        "description": "Enable or disable the monitoring of external acounts with read permissions in subscription"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "apiAppConfigureIPRestrictionsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor Configure IP restrictions for API App",
        "description": "Enable or disable the monitoring of IP restrictions for API App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "functionAppConfigureIPRestrictionsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor Configure IP restrictions for Function App",
        "description": "Enable or disable the monitoring of IP restrictions for Function App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "webAppConfigureIPRestrictionsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor Configure IP restrictions for Web App",
        "description": "Enable or disable the monitoring of IP restrictions for Web App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "apiAppDisableRemoteDebuggingMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Remote debugging should be turned off for API App",
        "description": "Enable or disable the monitoring of remote debugging for API App"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "functionAppDisableRemoteDebuggingMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Remote debugging should be turned off for Function App",
        "description": "Enable or disable the monitoring of remote debugging for Function App"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "webAppDisableRemoteDebuggingMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Remote debugging should be turned off for Web Application",
        "description": "Enable or disable the monitoring of remote debugging for Web App"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "apiAppAuditFtpsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: FTPS should be required in your API App",
        "description": "Enable FTPS enforcement for enhanced security",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "functionAppAuditFtpsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: FTPS should be required in your Function App",
        "description": "Enable FTPS enforcement for enhanced security",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "webAppAuditFtpsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: FTPS should be required in your Web App",
        "description": "Enable FTPS enforcement for enhanced security",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "apiAppUseManagedIdentityMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: A managed identity should be used in your API App",
        "description": "Use a managed identity for enhanced authentication security",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "functionAppUseManagedIdentityMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: A managed identity should be used in your Function App",
        "description": "Use a managed identity for enhanced authentication security",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "webAppUseManagedIdentityMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: A managed identity should be used in your Web App",
        "description": "Use a managed identity for enhanced authentication security",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "apiAppRequireLatestTlsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Latest TLS version should be used in your API App",
        "description": "Upgrade to the latest TLS version",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "functionAppRequireLatestTlsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Latest TLS version should be used in your Function App",
        "description": "Upgrade to the latest TLS version",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "webAppRequireLatestTlsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Latest TLS version should be used in your Web App",
        "description": "Upgrade to the latest TLS version",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "apiAppDisableWebSocketsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor disable web sockets for API App",
        "description": "Enable or disable the monitoring of web sockets for API App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "functionAppDisableWebSocketsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor disable web sockets for Function App",
        "description": "Enable or disable the monitoring of web sockets for Function App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "webAppDisableWebSocketsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor disable web sockets for Web App",
        "description": "Enable or disable the monitoring of web sockets for Web App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "apiAppEnforceHttpsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: API App should only be accessible over HTTPS",
        "description": "Enable or disable the monitoring of the use of HTTPS in API App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "functionAppEnforceHttpsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Function App should only be accessible over HTTPS",
        "description": "Enable or disable the monitoring of the use of HTTPS in function App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "webAppEnforceHttpsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Web Application should only be accessible over HTTPS",
        "description": "Enable or disable the monitoring of the use of HTTPS in Web App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "apiAppEnforceHttpsMonitoringEffectV2": {
      "type": "String",
      "metadata": {
        "displayName": "API App should only be accessible over HTTPS V2",
        "description": "Enable or disable the monitoring of the use of HTTPS in API App V2"
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "functionAppEnforceHttpsMonitoringEffectV2": {
      "type": "String",
      "metadata": {
        "displayName": "Function App should only be accessible over HTTPS V2",
        "description": "Enable or disable the monitoring of the use of HTTPS in function App V2"
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "webAppEnforceHttpsMonitoringEffectV2": {
      "type": "String",
      "metadata": {
        "displayName": "Web Application should only be accessible over HTTPS V2",
        "description": "Enable or disable the monitoring of the use of HTTPS in Web App V2"
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "apiAppRestrictCORSAccessMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "CORS should not allow every resource to access your API App",
        "description": "Enable or disable the monitoring of CORS restrictions for API App"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "functionAppRestrictCORSAccessMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "CORS should not allow every resource to access your Function App",
        "description": "Enable or disable the monitoring of CORS restrictions for API Function"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "webAppRestrictCORSAccessMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "CORS should not allow every resource to access your Web Application",
        "description": "Enable or disable the monitoring of CORS restrictions for API Web"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "apiAppUsedCustomDomainsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor the custom domain use in API App",
        "description": "Enable or disable the monitoring of custom domain use in API App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "functionAppUsedCustomDomainsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor the custom domain use in Function App",
        "description": "Enable or disable the monitoring of custom domain use in Function App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "webAppUsedCustomDomainsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor the custom domain use in Web App",
        "description": "Enable or disable the monitoring of custom domain use in Web App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "apiAppUsedLatestDotNetMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor use latest .NET in API App",
        "description": "Enable or disable the monitoring of .NET version in API App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "webAppUsedLatestDotNetMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor use latest .NET in Web App",
        "description": "Enable or disable the monitoring of .NET version in Web App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "apiAppUsedLatestJavaMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor use latest Java in API App",
        "description": "Enable or disable the monitoring of Java version in API App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "webAppUsedLatestJavaMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor use latest Java in Web App",
        "description": "Enable or disable the monitoring of Java version in Web App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "webAppUsedLatestNodeJsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor use latest Node.js in Web App",
        "description": "Enable or disable the monitoring of Node.js version in Web App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "apiAppUsedLatestPHPMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor use latest PHP in API App",
        "description": "Enable or disable the monitoring of PHP version in API App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "webAppUsedLatestPHPMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor use latest PHP in Web App",
        "description": "Enable or disable the monitoring of PHP version in Web App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "apiAppUsedLatestPythonMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor use latest Python in API App",
        "description": "Enable or disable the monitoring of Python version in API App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "webAppUsedLatestPythonMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Monitor use latest Python in Web App",
        "description": "Enable or disable the monitoring of Python version in Web App",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "vnetEnableDDoSProtectionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure DDoS Protection Standard should be enabled",
        "description": "Enable or disable the monitoring of DDoS protection for virtual network"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diagnosticsLogsInIoTHubMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Resource logs in IoT Hub should be enabled",
        "description": "Enable or disable the monitoring of resource logs in IoT Hubs"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diagnosticsLogsInIoTHubRetentionDays": {
      "type": "String",
      "metadata": {
        "displayName": "Required retention (in days) of logs in IoT Hub accounts",
        "description": "The required resource logs retention period in days"
      },
      "defaultValue": "1"
    },
    "sqlServerAdvancedDataSecurityMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers",
        "description": "Enable or disable the monitoring of SQL servers without Advanced Data Security"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "sqlManagedInstanceAdvancedDataSecurityMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances",
        "description": "Enable or disable the monitoring of each SQL Managed Instance without advanced data security."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "sqlServerAdvancedDataSecurityEmailsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts",
        "description": "Enable or disable the monitoring that advanced data security settings for SQL server contain at least one email address to receive security alerts",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address to receive security alerts",
        "description": "Enable or disable the monitoring that advanced data security settings for SQL Managed Instance contain at least one email address to receive security alerts.",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings",
        "description": "Enable or disable auditing that 'email notification to admins and subscription owners' is enabled in the SQL Server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins.",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL Managed Instance advanced data security settings",
        "description": "Enable or disable auditing that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins.",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "kubernetesServiceRbacEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Role-Based Access Control (RBAC) should be used on Kubernetes Services",
        "description": "Enable or disable the monitoring of Kubernetes Services without RBAC enabled"
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "kubernetesServicePspEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Pod Security Policies should be defined on Kubernetes Services",
        "description": "Enable or disable the monitoring of Kubernetes Services without Pod Security Policy enabled",
        "deprecated": true
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "kubernetesServiceAuthorizedIPRangesEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Authorized IP ranges should be defined on Kubernetes Services",
        "description": "Enable or disable the monitoring of Kubernetes Services without Authorized IP Ranges enabled"
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "kubernetesServiceVersionUpToDateMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Kubernetes Services should be upgraded to a non vulnerable Kubernetes version",
        "description": "Enable or disable the monitoring of the Kubernetes Services with versions that contain known vulnerabilities",
        "deprecated": true
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Vulnerability assessment should be enabled on SQL Managed Instance",
        "description": "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "vulnerabilityAssessmentOnServerMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Vulnerability assessment should be enabled on your SQL servers",
        "description": "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "threatDetectionTypesOnManagedInstanceMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings",
        "description": "It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "threatDetectionTypesOnServerMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings",
        "description": "It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "adaptiveNetworkHardeningsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Adaptive network hardening recommendations should be applied on internet facing virtual machines",
        "description": "Enable or disable the monitoring of Internet-facing virtual machines for Network Security Group traffic hardening recommendations"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "restrictAccessToManagementPortsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Management ports should be closed on your virtual machines",
        "description": "Enable or disable the monitoring of open management ports on Virtual Machines"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "restrictAccessToAppServicesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Access to App Services should be restricted",
        "description": "Enable or disable the monitoring of permissive network access to app-services",
        "deprecated": true
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "disableIPForwardingMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "IP Forwarding on your virtual machine should be disabled",
        "description": "Enable or disable the monitoring of IP forwarding on virtual machines"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "ensureServerTDEIsEncryptedWithYourOwnKeyMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "SQL server TDE protector should be encrypted with your own key",
        "description": "Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "SQL Managed Instance TDE protector should be encrypted with your own key",
        "description": "Enable or disable the monitoring of Transparent Data Encryption (TDE) with your own key support. TDE with your own key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "containerBenchmarkMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Vulnerabilities in container security configurations should be remediated",
        "description": "Enable or disable container benchmark monitoring"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "ASCDependencyAgentAuditWindowsEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Audit Dependency Agent for Windows VMs monitoring",
        "description": "Enable or disable Dependency Agent for Windows VMs"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "ASCDependencyAgentAuditLinuxEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Audit Dependency Agent for Linux VMs monitoring",
        "description": "Enable or disable Dependency Agent for Linux VMs"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "AzureFirewallEffect": {
      "type": "String",
      "metadata": {
        "displayName": "All Internet traffic should be routed via your deployed Azure Firewall",
        "description": "Enable or disable All Internet traffic should be routed via your deployed Azure Firewall"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "ArcWindowsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Log Analytics agent should be installed on your  Windows Azure Arc machines",
        "description": "Enable or disable Log Analytics agent should be installed on your  Windows Azure Arc machines"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "ArcLinuxMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Log Analytics agent should be installed on your Linux Azure Arc machines",
        "description": "Enable or disable Log Analytics agent should be installed on your Linux Azure Arc machines"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "keyVaultsAdvancedDataSecurityMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Defender for Key Vault should be enabled",
        "description": "Enable or disable Azure Defender for Key Vault"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "sqlServersAdvancedDataSecurityMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Defender for Azure SQL Database servers should be enabled",
        "description": "Enable or disable Azure Defender for Azure SQL Database servers"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "sqlServersVirtualMachinesAdvancedDataSecurityMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Defender for SQL servers on machines should be enabled",
        "description": "Enable or disable Azure Defender for SQL servers on Machines"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "storageAccountsAdvancedDataSecurityMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Defender for Storage should be enabled",
        "description": "Enable or disable Azure Defender for storage"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "appServicesAdvancedThreatProtectionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Defender for App Services should be enabled",
        "description": "Enable or disable Azure Defender for App Service"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "containerRegistryAdvancedThreatProtectionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Defender for container registries should be enabled",
        "description": "Enable or disable Azure Defender for container registries"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "kubernetesServiceAdvancedThreatProtectionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Defender for Kubernetes should be enabled",
        "description": "Enable or disable Azure Defender for Kubernetes"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "virtualMachinesAdvancedThreatProtectionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Defender for servers should be enabled",
        "description": "Enable or disable Azure Defender for servers"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "azurePolicyAddonStatusEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Policy Add-on for Kubernetes should be installed and enabled on Azure Kubernetes Service (AKS) clusters",
        "description": "Enable or disable reporting of the Azure Policy Add-on is enabled on Azure Kubernetes managed cluster"
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "allowedContainerImagesInKubernetesClusterEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Container images should be deployed from trusted registries only",
        "description": "Enable or disable monitoring of allowed container images in Kubernetes clusters"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "allowedContainerImagesInKubernetesClusterRegex": {
      "type": "String",
      "metadata": {
        "displayName": "Allowed container images regex",
        "description": "The RegEx rule used to match allowed container images in a Kubernetes cluster. For example, to allow any Azure Container Registry image by matching partial path: ^.+azurecr.io/.+$"
      },
      "defaultValue": "^(.+){0}$"
    },
    "allowedContainerImagesNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of allowed container images",
        "description": "List of Kubernetes namespaces to exclude from evaluation of allowed container images in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "privilegedContainersShouldBeAvoidedEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Privileged containers should be avoided",
        "description": "Enable or disable monitoring of privileged containers in Kubernetes clusters"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "privilegedContainerNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of privileged containers",
        "description": "List of Kubernetes namespaces to exclude from evaluation of privileged containers in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "allowedContainerPortsInKubernetesClusterEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Containers should listen on allowed ports only",
        "description": "Enable or disable monitoring of allowed container ports in Kubernetes clusters"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "allowedContainerPortsInKubernetesClusterPorts": {
      "type": "Array",
      "metadata": {
        "displayName": "Allowed container ports list",
        "description": "List of container ports allowed in Kubernetes cluster. Use ; to separate values"
      },
      "defaultValue": [
        "-1"
      ]
    },
    "allowedContainerPortsInKubernetesClusterNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of allowed container port",
        "description": "List of Kubernetes namespaces to exclude from evaluation of allowed container ports in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "allowedServicePortsInKubernetesClusterEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Services should listen on allowed ports only",
        "description": "Enable or disable monitoring of allowed service ports in Kubernetes clusters"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "allowedservicePortsInKubernetesClusterPorts": {
      "type": "Array",
      "metadata": {
        "displayName": "Allowed service ports list",
        "description": "List of service ports allowed in Kubernetes cluster. Use ; to separate values"
      },
      "defaultValue": [
        "-1"
      ]
    },
    "allowedServicePortsInKubernetesClusterNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of allowed service ports",
        "description": "List of Kubernetes namespaces to exclude from evaluation of allowed service ports in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "NoPrivilegeEscalationInKubernetesClusterEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Container with privileged escalation should be avoided",
        "description": "Enable or disable monitoring of privileged escalation containers in Kubernetes clusters"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "NoPrivilegeEscalationInKubernetesClusterNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of privileged escalation containers",
        "description": "List of Kubernetes namespaces to exclude from evaluation of privileged escalation containers in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "NoSharingSensitiveHostNamespacesInKubernetesEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Containers sharing sensitive host namespaces should be avoided",
        "description": "Enable or disable monitoring of shared sensitive host namespaces in Kubernetes clusters"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "NoSharingSensitiveHostNamespacesInKubernetesNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of sharing sensitive host namespaces in Kubernetes clusters",
        "description": "List of Kubernetes namespaces to exclude from evaluation of  sharing sensitive host namespaces in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "ReadOnlyRootFileSystemInKubernetesClusterEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Immutable (read-only) root filesystem should be enforced for containers",
        "description": "Enable or disable monitoring of containers running with a read only root file system in Kubernetes clusters"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "ReadOnlyRootFileSystemInKubernetesClusterNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of containers running with a read only root file system",
        "description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers running with a read only root file system in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "AllowedCapabilitiesInKubernetesClusterEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Least privileged Linux capabilities should be enforced for containers",
        "description": "Enable or disable monitoring of Kubernetes containers using allowed capabilities only"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "AllowedCapabilitiesInKubernetesClusterNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of containers use only allowed capabilities",
        "description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers using only allowed capabilities in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "AllowedCapabilitiesInKubernetesClusterList": {
      "type": "Array",
      "metadata": {
        "displayName": "Allowed capabilities",
        "description": "The list of capabilities that are allowed to be added to a container. Provide empty list as input to block everything."
      },
      "defaultValue": []
    },
    "DropCapabilitiesInKubernetesClusterList": {
      "type": "Array",
      "metadata": {
        "displayName": "Required drop capabilities",
        "description": "The list of capabilities that must be dropped by a container."
      },
      "defaultValue": []
    },
    "AllowedAppArmorProfilesInKubernetesClusterEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Overriding or disabling of containers AppArmor profile should be restricted",
        "description": "Enable or disable monitoring of modification of Kubernetes containers' AppArmor profile"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "AllowedAppArmorProfilesInKubernetesClusterNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of containers modification of AppArmor profile",
        "description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers modifying of AppArmor profile in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "AllowedAppArmorProfilesInKubernetesClusterList": {
      "type": "Array",
      "metadata": {
        "displayName": "Allowed AppArmor profiles",
        "description": "The list of AppArmor profiles that containers are allowed to use. E.g. 'runtime/default;docker/default'. Provide empty list as input to block everything."
      },
      "defaultValue": []
    },
    "AllowedHostNetworkingAndPortsInKubernetesClusterEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Usage of host networking and ports should be restricted",
        "description": "Enable or disable monitoring of Kubernetes containers' host networking and port ranges"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "AllowedHostNetworkingAndPortsInKubernetesClusterNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of containers host networking and ports",
        "description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers host networking and ports in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "AllowHostNetworkingInKubernetesCluster": {
      "type": "Boolean",
      "metadata": {
        "displayName": "Allow host network usage",
        "description": "Set this value to true if pod is allowed to use host network otherwise false."
      },
      "defaultValue": false
    },
    "AllowedHostMinPortInKubernetesCluster": {
      "type": "Integer",
      "metadata": {
        "displayName": "Min host port",
        "description": "The minimum value in the allowable host port range that pods can use in the host network namespace."
      },
      "defaultValue": 0
    },
    "AllowedHostMaxPortInKubernetesCluster": {
      "type": "Integer",
      "metadata": {
        "displayName": "Max host port",
        "description": "The maximum value in the allowable host port range that pods can use in the host network namespace."
      },
      "defaultValue": 0
    },
    "AllowedHostPathVolumesInKubernetesClusterEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers",
        "description": "Enable or disable monitoring of pod HostPath volume mounts in Kubernetes clusters"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "AllowedHostPathVolumesInKubernetesClusterNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of pod HostPath volume mounts",
        "description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of pod HostPath volume mounts in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "AllowedHostPathVolumesInKubernetesClusterList": {
      "type": "Object",
      "metadata": {
        "displayName": "Allowed host paths",
        "description": "The host paths allowed for pod hostPath volumes to use. Provide an empty paths list to block all host paths.",
        "schema": {
          "type": "object",
          "properties": {
            "paths": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "pathPrefix": {
                    "type": "string"
                  },
                  "readOnly": {
                    "type": "boolean"
                  }
                },
                "required": [
                  "pathPrefix",
                  "readOnly"
                ],
                "additionalProperties": false
              }
            }
          },
          "required": [
            "paths"
          ],
          "additionalProperties": false
        }
      },
      "defaultValue": {
        "paths": []
      }
    },
    "memoryAndCPULimitsInKubernetesClusterEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Containers' CPU and memory limits should be enforced",
        "description": "Enable or disable monitoring of containers' CPU and memory limits in Kubernetes clusters"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "memoryInKubernetesClusterLimit": {
      "type": "String",
      "metadata": {
        "displayName": "Max allowed memory bytes in Kubernetes cluster",
        "description": "The maximum memory bytes allowed for a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits"
      },
      "defaultValue": "0"
    },
    "CPUInKubernetesClusterLimit": {
      "type": "String",
      "metadata": {
        "displayName": "Max allowed CPU units in Kubernetes cluster",
        "description": "The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits"
      },
      "defaultValue": "0"
    },
    "memoryAndCPULimitsInKubernetesClusterNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of memory and CPU limits",
        "description": "List of Kubernetes namespaces to exclude from evaluation of memory and CPU limits in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "BlockVulnerableImagesInKubernetesClusterEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Kubernetes clusters should gate deployment of vulnerable images",
        "description": "Enable or disable gating containers' with vulnerable images in Kubernetes clusters"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "BlockVulnerableImagesInKubernetesClusterNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of containers with vulnerable images",
        "description": "List of Kubernetes namespaces to exclude from evaluation of block vulnerable images in Kubernetes clusters. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "BlockVulnerableImagesNamespaces": {
      "type": "Array",
      "metadata": {
        "displayName": "Namespace inclusions",
        "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
      },
      "defaultValue": []
    },
    "BlockVulnerableImagesExcludedImages": {
      "type": "Array",
      "metadata": {
        "displayName": "Excluded images regex",
        "description": "A list of RegEx rules used to exclude container images from policy evaluation. For example: exclude all images from the repo azure-defender-in-cluster-defense-repo in the blockreg ACR -  [\"(blockreg.azurecr.io/azure-defender-in-cluster-defense-repo).*\"]. Use an empty list to apply this policy to all container images."
      },
      "defaultValue": []
    },
    "BlockVulnerableImagesSeverityThresholdForExcludingNotPatchableFindings": {
      "type": "String",
      "metadata": {
        "displayName": "Severity threshold for excluding vulnerabilities without a patch",
        "description": "Specify the maximum severity for exempting vulnerabilities without a patch. For example, specify Medium to ignore Low and Medium vulnerabilities without a patch."
      },
      "allowedValues": [
        "None",
        "Low",
        "Medium",
        "High"
      ],
      "defaultValue": "None"
    },
    "BlockVulnerableImagesExcludeFindingIDs": {
      "type": "Array",
      "metadata": {
        "displayName": "Exclude findings Ids",
        "description": "A list of finding IDs that the policy should exempt."
      },
      "defaultValue": []
    },
    "severity": {
      "type": "Object",
      "metadata": {
        "displayName": "Severity threshold",
        "description": "The number of allowed findings per severity for an image. e.g. \"{\"High\":0,\"Medium\":3,\"Low\":10}\""
      },
      "defaultValue": {
        "High": 0,
        "Medium": 0,
        "Low": 0
      }
    },
    "MustRunAsNonRootNamespaceExclusion": {
      "type": "Array",
      "metadata": {
        "displayName": "Kubernetes namespaces to exclude from monitoring of containers running as root user",
        "description": "List of Kubernetes namespaces to exclude from evaluation to monitoring of containers running as root users. To list multiple namespaces, use semicolons (;) to separate them."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "MustRunAsNonRootNamespaceEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Kubernetes containers should not be run as root user",
        "description": "Enable or disable monitoring of containers running as root user in Kubernetes nodes"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "arcEnabledKubernetesClustersShouldHaveAzureDefendersExtensionInstalled": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed",
        "description": "Enable or disable the monitoring of Arc enabled Kubernetes clusters without Azure Defender's extension installed"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "azureKubernetesServiceClustersShouldHaveSecurityProfileEnabled": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Kubernetes Service clusters should have Azure Defender profile enabled",
        "description": "Enable or disable the monitoring of Azure Kubernetes Service clusters without Azure Defender's profile enabled"
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "containerRegistryVulnerabilityAssessmentEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Vulnerabilities in Azure Container Registry images should be remediated",
        "description": "Enable or disable monitoring of Azure container registries by Azure Security Center vulnerability assessment (powered by Qualys)"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "disallowPublicBlobAccessEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Storage account public access should be disallowed",
        "description": "Enable or disable reporting of Storage Accounts that allow public access"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "azureBackupShouldBeEnabledForVirtualMachinesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Backup should be enabled for Virtual Machines",
        "description": "Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "managedIdentityShouldBeUsedInYourFunctionAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Managed identity should be used in your Function App",
        "description": "Use a managed identity for enhanced authentication security"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "georedundantBackupShouldBeEnabledForAzureDatabaseForMariadbMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Georedundant backup should be enabled for Azure Database for MariaDB",
        "description": "Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "managedIdentityShouldBeUsedInYourWebAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Managed identity should be used in your Web App",
        "description": "Use a managed identity for enhanced authentication security"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "georedundantBackupShouldBeEnabledForAzureDatabaseForPostgresqlMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Georedundant backup should be enabled for Azure Database for PostgreSQL",
        "description": "Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "ensureWEBAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Ensure WEB app has Client Certificates Incoming client certificates set to On",
        "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "georedundantBackupShouldBeEnabledForAzureDatabaseForMysqlMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Georedundant backup should be enabled for Azure Database for MySQL",
        "description": "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "latestTLSVersionShouldBeUsedInYourAPIAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Latest TLS version should be used in your API App",
        "description": "Upgrade to the latest TLS version"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "diagnosticLogsInAppServicesShouldBeEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Resource logs in App Services should be enabled",
        "description": "Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "managedIdentityShouldBeUsedInYourAPIAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Managed identity should be used in your API App",
        "description": "Use a managed identity for enhanced authentication security"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "enforceSSLConnectionShouldBeEnabledForPostgresqlDatabaseServersMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Enforce SSL connection should be enabled for PostgreSQL database servers",
        "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "enforceSSLConnectionShouldBeEnabledForMysqlDatabaseServersMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Enforce SSL connection should be enabled for MySQL database servers",
        "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "latestTLSVersionShouldBeUsedInYourWebAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Latest TLS version should be used in your Web App",
        "description": "Upgrade to the latest TLS version"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "latestTLSVersionShouldBeUsedInYourFunctionAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Latest TLS version should be used in your Function App",
        "description": "Upgrade to the latest TLS version"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Ensure that PHP version is the latest if used as a part of the API app",
        "description": "Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheWEBAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Ensure that PHP version is the latest if used as a part of the WEB app",
        "description": "Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Ensure that Java version is the latest if used as a part of the Web app",
        "description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Ensure that Java version is the latest if used as a part of the Function app",
        "description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Ensure that Java version is the latest if used as a part of the API app",
        "description": "Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Ensure that Python version is the latest if used as a part of the Web app",
        "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Ensure that Python version is the latest if used as a part of the Function app",
        "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Ensure that Python version is the latest if used as a part of the API app",
        "description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "privateEndpointShouldBeEnabledForPostgresqlServersMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Private endpoint should be enabled for PostgreSQL servers",
        "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "privateEndpointShouldBeEnabledForMariadbServersMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Private endpoint should be enabled for MariaDB servers",
        "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "privateEndpointShouldBeEnabledForMysqlServersMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Private endpoint should be enabled for MySQL servers",
        "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "sQLServersShouldBeConfiguredWithAuditingRetentionDaysGreaterThan90DaysMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "SQL servers should be configured with auditing retention days greater than 90 days",
        "description": "Audit SQL servers configured with an auditing retention period of less than 90 days."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "fTPSOnlyShouldBeRequiredInYourFunctionAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "FTPS only should be required in your Function App",
        "description": "Enable FTPS enforcement for enhanced security"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "fTPSShouldBeRequiredInYourWebAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "FTPS should be required in your Web App",
        "description": "Enable FTPS enforcement for enhanced security"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "fTPSOnlyShouldBeRequiredInYourAPIAppMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "FTPS only should be required in your API App",
        "description": "Enable FTPS enforcement for enhanced security"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Function apps should have 'Client Certificates (Incoming client certificates)' enabled",
        "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "cognitiveServicesAccountsShouldEnableDataEncryptionWithACustomerManagedKeyMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key",
        "description": "Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed key encryption at https://aka.ms/cosmosdb-cmk."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "azureCosmosDbAccountsShouldUseCustomerManagedKeysToEncryptDataAtRestMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest",
        "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed key encryption at https://aka.ms/cosmosdb-cmk."
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "disabled"
    },
    "keyVaultsShouldHavePurgeProtectionEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Key vaults should have purge protection enabled",
        "description": "Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "keyVaultsShouldHaveSoftDeleteEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Key vaults should have soft delete enabled",
        "description": "Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "azureCacheForRedisShouldResideWithinAVirtualNetworkMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Cache for Redis should reside within a virtual network",
        "description": "Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "storageAccountsShouldUseCustomerManagedKeyForEncryptionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Storage accounts should use customer-managed key for encryption",
        "description": "Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "storageAccountsShouldRestrictNetworkAccessUsingVirtualNetworkRulesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Storage accounts should restrict network access using virtual network rules",
        "description": "Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "containerRegistriesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Container registries should be encrypted with a customer-managed key",
        "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed key encryption at https://aka.ms/acr/CMK."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "containerRegistriesShouldNotAllowUnrestrictedNetworkAccessMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Container registries should not allow unrestricted network access",
        "description": "Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "containerRegistriesShouldUsePrivateLinkMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Container registries should use private link",
        "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "appConfigurationShouldUsePrivateLinkMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "App Configuration should use private link",
        "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "azureEventGridDomainsShouldUsePrivateLinkMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Event Grid domains should use private link",
        "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your Event Grid domains instead of the entire service, you'll also be protected against data leakage risks.Learn more at: https://aka.ms/privateendpoints."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "azureEventGridTopicsShouldUsePrivateLinkMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Event Grid topics should use private link",
        "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your topics instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "azureSignalRServiceShouldUsePrivateLinkMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure SignalR Service should use private link",
        "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your  SignalR resources instead of the entire service, you'll also be protected against data leakage risks .Learn more at: https://aka.ms/asrs/privatelink."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "azureMachineLearningWorkspacesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Machine Learning workspaces should be encrypted with a customer-managed key",
        "description": "Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed key encryption at https://aka.ms/azureml-workspaces-cmk."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "azureMachineLearningWorkspacesShouldUsePrivateLinkMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Machine Learning workspaces should use private link",
        "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/azureml-workspaces-privatelink."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "webApplicationFirewallShouldBeEnabledForAzureFrontDoorServiceServiceMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Web Application Firewall (WAF) should be enabled for Azure Front Door Service service",
        "description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "webApplicationFirewallShouldBeEnabledForApplicationGatewayMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway",
        "description": "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "publicNetworkAccessShouldBeDisabledForMariaDbServersMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Public network access should be disabled for MariaDB servers",
        "description": "Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "publicNetworkAccessShouldBeDisabledForMySqlServersMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Public network access should be disabled for MySQL servers",
        "description": "Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "bringYourOwnKeyDataProtectionShouldBeEnabledForMySqlServersMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "MySQL servers should use customer-managed keys to encrypt data at rest",
        "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "publicNetworkAccessShouldBeDisabledForPostgreSqlServersMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Public network access should be disabled for PostgreSQL servers",
        "description": "Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "bringYourOwnKeyDataProtectionShouldBeEnabledForPostgreSqlServersMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "PostgreSQL servers should use customer-managed keys to encrypt data at rest",
        "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "vmImageBuilderTemplatesShouldUsePrivateLinkMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "VM Image Builder templates should use private link",
        "description": "Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead which may directly expose resources to the internet and increase the potential attack surface."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "firewallShouldBeEnabledOnKeyVaultMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Firewall should be enabled on Key Vault",
        "description": "Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "privateEndpointShouldBeConfiguredForKeyVaultMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Private endpoint should be configured for Key Vault",
        "description": "Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "azureSpringCloudShouldUseNetworkInjectionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Spring Cloud should use network injection",
        "description": "Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "subscriptionsShouldHaveAContactEmailAddressForSecurityIssuesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Subscriptions should have a contact email address for security issues",
        "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "autoProvisioningOfTheLogAnalyticsAgentShouldBeEnabledOnYourSubscriptionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Auto provisioning of the Log Analytics agent should be enabled on your subscription",
        "description": "To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "emailNotificationForHighSeverityAlertsShouldBeEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Email notification for high severity alerts should be enabled",
        "description": "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "emailNotificationToSubscriptionOwnerForHighSeverityAlertsShouldBeEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Email notification to subscription owner for high severity alerts should be enabled",
        "description": "To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "storageAccountShouldUseAPrivateLinkConnectionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Storage account should use a private link connection",
        "description": "Private links enforce secure communication, by providing private connectivity to the storage account"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "authenticationToLinuxMachinesShouldRequireSSHKeysMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Authentication to Linux machines should require SSH keys",
        "description": "Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "privateEndpointConnectionsOnAzureSQLDatabaseShouldBeEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Private endpoint connections on Azure SQL Database should be enabled",
        "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "publicNetworkAccessOnAzureSQLDatabaseShouldBeDisabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Public network access on Azure SQL Database should be disabled",
        "description": "Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "ensureAPIAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Ensure API app has Client Certificates Incoming client certificates set to On",
        "description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "kubernetesClustersShouldBeAccessibleOnlyOverHTTPSMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Kubernetes clusters should be accessible only over HTTPS",
        "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc"
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "kubernetesClustersShouldBeAccessibleOnlyOverHTTPSExcludedNamespaces": {
      "type": "Array",
      "metadata": {
        "displayName": "Namespace exclusions",
        "description": "List of Kubernetes namespaces to exclude from policy evaluation."
      },
      "defaultValue": [
        "kube-system",
        "gatekeeper-system",
        "azure-arc"
      ]
    },
    "kubernetesClustersShouldBeAccessibleOnlyOverHTTPSNamespaces": {
      "type": "Array",
      "metadata": {
        "displayName": "Namespace inclusions",
        "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
      },
      "defaultValue": []
    },
    "windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Windows web servers should be configured to use secure communication protocols",
        "description": "To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsIncludeArcMachines": {
      "type": "String",
      "metadata": {
        "displayName": "Include Arc connected servers",
        "description": "By selecting this option, you choose to include Arc connected servers in the scope of this policy."
      },
      "allowedValues": [
        "true",
        "false"
      ],
      "defaultValue": "true"
    },
    "windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsMinimumTLSVersion": {
      "type": "String",
      "metadata": {
        "displayName": "Minimum TLS version",
        "description": "The minimum TLS protocol version that should be enabled. Windows web servers with lower TLS versions will be marked as non-compliant."
      },
      "allowedValues": [
        "1.1",
        "1.2"
      ],
      "defaultValue": "1.1"
    },
    "cognitiveServicesAccountsShouldRestrictNetworkAccessMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Cognitive Services accounts should restrict network access",
        "description": "Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "cognitiveServicesAccountsShouldUseCustomerOwnedStorageOrEnableDataEncryptionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption",
        "description": "This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption.",
        "deprecated": true
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "publicNetworkAccessShouldBeDisabledForCognitiveServicesAccountsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Public network access should be disabled for Cognitive Services accounts",
        "description": "This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "cognitiveServicesAccountsShouldEnableDataEncryptionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "[Deprecated]: Cognitive Services accounts should enable data encryption",
        "description": "This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key.",
        "deprecated": true
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Disabled"
    },
    "aPIManagementServicesShouldUseAVirtualNetworkMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "API Management services should use a virtual network",
        "description": "Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "aPIManagementServicesShouldUseAVirtualNetworkEvaluatedSkuNames": {
      "type": "Array",
      "metadata": {
        "displayName": "API Management SKU Names",
        "description": "List of API Management SKUs against which this policy will be evaluated."
      },
      "allowedValues": [
        "Developer",
        "Basic",
        "Standard",
        "Premium",
        "Consumption"
      ],
      "defaultValue": [
        "Developer",
        "Premium"
      ]
    },
    "azureCosmosDBAccountsShouldHaveFirewallRulesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Cosmos DB accounts should have firewall rules",
        "description": "Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "networkWatcherShouldBeEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Network Watcher should be enabled",
        "description": "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "networkWatcherShouldBeEnabledListOfLocations": {
      "type": "Array",
      "metadata": {
        "displayName": "[Deprecated]: List of regions where Network Watcher should be enabled",
        "description": "To see a complete list of regions, run the PowerShell command Get-AzLocation",
        "strongType": "location",
        "deprecated": true
      },
      "defaultValue": []
    },
    "networkWatcherShouldBeEnabledResourceGroupName": {
      "type": "String",
      "metadata": {
        "displayName": "Name of the resource group for Network Watcher",
        "description": "Name of the resource group where Network Watchers are located"
      },
      "defaultValue": "NetworkWatcherRG"
    },
    "AzureDefenderForResourceManagerShouldBeEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Defender for Resource Manager should be enabled",
        "description": "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center ."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "AzureDefenderForDNSShouldBeEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Defender for DNS should be enabled",
        "description": "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center ."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "AzureDefenderForOpenSourceRelationalDatabasesShouldBeEnabledMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Azure Defender for open-source relational databases should be enabled",
        "description": "Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "KubernetesClustersShouldNotUseTheDefaultNamespaceMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Kubernetes clusters should not use the default namespace",
        "description": "Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc."
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "KubernetesClustersShouldDisableAutomountingAPICredentialsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Kubernetes clusters should disable automounting API credentials",
        "description": "Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc."
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "KubernetesClustersShouldNotGrantCAPSYSADMINSecurityCapabilitiesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Kubernetes clusters should not grant CAPSYSADMIN security capabilities",
        "description": "To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc."
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    },
    "VtpmShouldBeEnabledOnSupportedVirtualMachinesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "vTPM should be enabled on supported virtual machines",
        "description": "Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "SecureBootShouldBeEnabledOnSupportedWindowsVirtualMachinesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Secure Boot should be enabled on supported Windows virtual machines",
        "description": "Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines."
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Guest Attestation extension should be installed on supported Linux virtual machines",
        "description": "Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machines."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesScaleSetsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Guest Attestation extension should be installed on supported Linux virtual machines scale sets",
        "description": "Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machine scale sets."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Guest Attestation extension should be installed on supported Windows virtual machines",
        "description": "Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesScaleSetsMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Guest Attestation extension should be installed on supported Windows virtual machines scale sets",
        "description": "Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machine scale sets."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "installEndpointProtectionMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Endpoint protection should be installed on your machines",
        "description": "To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "endpointProtectionHealthIssuesMonitoringEffect": {
      "type": "String",
      "metadata": {
        "displayName": "Endpoint protection health issues should be resolved on your machines",
        "description": "Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection."
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    }
  },
  "policyDefinitions": [
    {
      "policyDefinitionReferenceId": "useServicePrincipalToProtectSubscriptionsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414",
      "parameters": {
        "effect": {
          "value": "[parameters('useServicePrincipalToProtectSubscriptionsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_IM-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "resolveLogAnalyticsHealthIssuesMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d62cfe2b-3ab0-4d41-980d-76803b58ca65",
      "parameters": {
        "effect": {
          "value": "[parameters('resolveLogAnalyticsHealthIssuesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "installLogAnalyticsAgentOnVmMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4fe33eb-e377-4efb-ab31-0784311bc499",
      "parameters": {
        "effect": {
          "value": "[parameters('installLogAnalyticsAgentOnVmMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "installLogAnalyticsAgentOnVmssMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3a6ea0c-e018-4933-9ef0-5aaa1501449b",
      "parameters": {
        "effect": {
          "value": "[parameters('installLogAnalyticsAgentOnVmssMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "certificatesValidityPeriodMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560",
      "parameters": {
        "effect": {
          "value": "[parameters('certificatesValidityPeriodMonitoringEffect')]"
        },
        "maximumValidityInMonths": {
          "value": "[parameters('certificatesValidityPeriodInMonths')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PA-5",
        "Azure_Security_Benchmark_v2.0_IM-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "secretsExpirationSet",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37",
      "parameters": {
        "effect": {
          "value": "[parameters('secretsExpirationSetEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PA-5",
        "Azure_Security_Benchmark_v2.0_IM-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "keysExpirationSet",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
      "parameters": {
        "effect": {
          "value": "[parameters('keysExpirationSetEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PA-5",
        "Azure_Security_Benchmark_v2.0_IM-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "vmssOsVulnerabilitiesMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4",
      "parameters": {
        "effect": {
          "value": "[parameters('vmssOsVulnerabilitiesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "vmssEndpointProtectionMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
      "parameters": {
        "effect": {
          "value": "[parameters('vmssEndpointProtectionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_ES-2",
        "Azure_Security_Benchmark_v2.0_ES-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "vmssSystemUpdatesMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe",
      "parameters": {
        "effect": {
          "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "gcExtOnVMMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c",
      "parameters": {
        "effect": {
          "value": "[parameters('azurePolicyforWindowsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "gcExtOnVMWithNoSAMIMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a",
      "parameters": {
        "effect": {
          "value": "[parameters('gcExtOnVMWithNoSAMIMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "windowsDefenderExploitGuardMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40",
      "parameters": {
        "effect": {
          "value": "[parameters('windowsDefenderExploitGuardMonitoringEffect')]"
        },
        "IncludeArcMachines": {
          "value": "[parameters('windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsIncludeArcMachines')]"
        },
        "NotAvailableMachineState": {
          "value": "Compliant"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_ES-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "windowsGuestConfigBaselinesMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc",
      "parameters": {
        "effect": {
          "value": "[parameters('windowsGuestConfigBaselinesMonitoringEffect')]"
        },
        "IncludeArcMachines": {
          "value": "[parameters('windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsIncludeArcMachines')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "linuxGuestConfigBaselinesMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd",
      "parameters": {
        "effect": {
          "value": "[parameters('linuxGuestConfigBaselinesMonitoringEffect')]"
        },
        "IncludeArcMachines": {
          "value": "[parameters('windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsIncludeArcMachines')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticsLogsInIoTHubMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticsLogsInIoTHubMonitoringEffect')]"
        },
        "requiredRetentionDays": {
          "value": "[parameters('diagnosticsLogsInIoTHubRetentionDays')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticsLogsInServiceFabricMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticsLogsInServiceFabricMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "disableUnrestrictedNetworkToStorageAccountMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
      "parameters": {
        "effect": {
          "value": "[parameters('disableUnrestrictedNetworkToStorageAccountMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1",
        "Azure_Security_Benchmark_v2.0_NS-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "useRbacRulesMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
      "parameters": {
        "effect": {
          "value": "[parameters('useRbacRulesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PA-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticsLogsInStreamAnalyticsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticsLogsInStreamAnalyticsMonitoringEffect')]"
        },
        "requiredRetentionDays": {
          "value": "[parameters('diagnosticsLogsInStreamAnalyticsRetentionDays')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "secureTransferToStorageAccountMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
      "parameters": {
        "effect": {
          "value": "[parameters('secureTransferToStorageAccountMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "aadAuthenticationInSqlServerMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
      "parameters": {
        "effect": {
          "value": "[parameters('aadAuthenticationInSqlServerMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_IM-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticsLogsInServiceBusMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticsLogsInServiceBusMonitoringEffect')]"
        },
        "requiredRetentionDays": {
          "value": "[parameters('diagnosticsLogsInServiceBusRetentionDays')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "clusterProtectionLevelInServiceFabricMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68",
      "parameters": {
        "effect": {
          "value": "[parameters('clusterProtectionLevelInServiceFabricMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "aadAuthenticationInServiceFabricMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
      "parameters": {
        "effect": {
          "value": "[parameters('aadAuthenticationInServiceFabricMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_IM-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticsLogsInSearchServiceMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticsLogsInSearchServiceMonitoringEffect')]"
        },
        "requiredRetentionDays": {
          "value": "[parameters('diagnosticsLogsInSearchServiceRetentionDays')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticsLogsInRedisCacheMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticsLogsInRedisCacheMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticsLogsInLogicAppsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticsLogsInLogicAppsMonitoringEffect')]"
        },
        "requiredRetentionDays": {
          "value": "[parameters('diagnosticsLogsInLogicAppsRetentionDays')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticsLogsInKeyVaultMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticsLogsInKeyVaultMonitoringEffect')]"
        },
        "requiredRetentionDays": {
          "value": "[parameters('diagnosticsLogsInKeyVaultRetentionDays')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticsLogsInEventHubMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticsLogsInEventHubMonitoringEffect')]"
        },
        "requiredRetentionDays": {
          "value": "[parameters('diagnosticsLogsInEventHubRetentionDays')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticsLogsInDataLakeStoreMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticsLogsInDataLakeStoreMonitoringEffect')]"
        },
        "requiredRetentionDays": {
          "value": "[parameters('diagnosticsLogsInDataLakeStoreRetentionDays')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticsLogsInDataLakeAnalyticsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticsLogsInDataLakeAnalyticsMonitoringEffect')]"
        },
        "requiredRetentionDays": {
          "value": "[parameters('diagnosticsLogsInDataLakeAnalyticsRetentionDays')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "classicStorageAccountsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
      "parameters": {
        "effect": {
          "value": "[parameters('classicStorageAccountsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_AM-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "classicComputeVMsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
      "parameters": {
        "effect": {
          "value": "[parameters('classicComputeVMsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_AM-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticsLogsInBatchAccountMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticsLogsInBatchAccountMonitoringEffect')]"
        },
        "requiredRetentionDays": {
          "value": "[parameters('diagnosticsLogsInBatchAccountRetentionDays')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "encryptionOfAutomationAccountMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735",
      "parameters": {
        "effect": {
          "value": "[parameters('encryptionOfAutomationAccountMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "sqlDbEncryptionMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12",
      "parameters": {
        "effect": {
          "value": "[parameters('sqlDbEncryptionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-2",
        "Azure_Security_Benchmark_v2.0_DP-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "sqlServerAuditingMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
      "parameters": {
        "effect": {
          "value": "[parameters('sqlServerAuditingMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "systemUpdatesMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60",
      "parameters": {
        "effect": {
          "value": "[parameters('systemUpdatesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "jitNetworkAccessMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c",
      "parameters": {
        "effect": {
          "value": "[parameters('jitNetworkAccessMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1",
        "Azure_Security_Benchmark_v2.0_NS-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "adaptiveApplicationControlsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc",
      "parameters": {
        "effect": {
          "value": "[parameters('adaptiveApplicationControlsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_AM-6"
      ]
    },
    {
      "policyDefinitionReferenceId": "adaptiveApplicationControlsUpdateMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534",
      "parameters": {
        "effect": {
          "value": "[parameters('adaptiveApplicationControlsUpdateMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_AM-6"
      ]
    },
    {
      "policyDefinitionReferenceId": "networkSecurityGroupsOnSubnetsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517",
      "parameters": {
        "effect": {
          "value": "[parameters('networkSecurityGroupsOnSubnetsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1",
        "Azure_Security_Benchmark_v2.0_NS-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "networkSecurityGroupsOnVirtualMachinesMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
      "parameters": {
        "effect": {
          "value": "[parameters('networkSecurityGroupsOnVirtualMachinesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1",
        "Azure_Security_Benchmark_v2.0_NS-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "networkSecurityGroupsOnInternalVirtualMachinesMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6",
      "parameters": {
        "effect": {
          "value": "[parameters('networkSecurityGroupsOnInternalVirtualMachinesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "systemConfigurationsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15",
      "parameters": {
        "effect": {
          "value": "[parameters('systemConfigurationsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "endpointProtectionMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9",
      "parameters": {
        "effect": {
          "value": "[parameters('endpointProtectionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_ES-2",
        "Azure_Security_Benchmark_v2.0_ES-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "diskEncryptionMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d",
      "parameters": {
        "effect": {
          "value": "[parameters('diskEncryptionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-2",
        "Azure_Security_Benchmark_v2.0_DP-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "serverVulnerabilityAssessment",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9",
      "parameters": {
        "effect": {
          "value": "[parameters('serverVulnerabilityAssessmentEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-6"
      ]
    },
    {
      "policyDefinitionReferenceId": "nextGenerationFirewallMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
      "parameters": {
        "effect": {
          "value": "[parameters('nextGenerationFirewallMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1",
        "Azure_Security_Benchmark_v2.0_NS-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "sqlDbVulnerabilityAssesmentMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc",
      "parameters": {
        "effect": {
          "value": "[parameters('sqlDbVulnerabilityAssesmentMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-6"
      ]
    },
    {
      "policyDefinitionReferenceId": "serverSqlDbVulnerabilityAssesmentMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d",
      "parameters": {
        "effect": {
          "value": "[parameters('serverSqlDbVulnerabilityAssesmentMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-6"
      ]
    },
    {
      "policyDefinitionReferenceId": "sqlDbDataClassificationMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349",
      "parameters": {
        "effect": {
          "value": "[parameters('sqlDbDataClassificationMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "identityDesignateLessThanOwnersMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c",
      "parameters": {
        "effect": {
          "value": "[parameters('identityDesignateLessThanOwnersMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PA-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "identityDesignateMoreThanOneOwnerMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b",
      "parameters": {
        "effect": {
          "value": "[parameters('identityDesignateMoreThanOneOwnerMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PA-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "identityEnableMFAForOwnerPermissionsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed",
      "parameters": {
        "effect": {
          "value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_IM-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "identityEnableMFAForWritePermissionsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3",
      "parameters": {
        "effect": {
          "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_IM-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "identityEnableMFAForReadPermissionsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64",
      "parameters": {
        "effect": {
          "value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_IM-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad",
      "parameters": {
        "effect": {
          "value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PA-1",
        "Azure_Security_Benchmark_v2.0_PA-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "identityRemoveDeprecatedAccountMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474",
      "parameters": {
        "effect": {
          "value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PA-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "identityRemoveExternalAccountWithOwnerPermissionsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9",
      "parameters": {
        "effect": {
          "value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PA-1",
        "Azure_Security_Benchmark_v2.0_PA-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "identityRemoveExternalAccountWithWritePermissionsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4",
      "parameters": {
        "effect": {
          "value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PA-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "identityRemoveExternalAccountWithReadPermissionsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60",
      "parameters": {
        "effect": {
          "value": "[parameters('identityRemoveExternalAccountWithReadPermissionsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PA-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "apiAppDisableRemoteDebuggingMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e",
      "parameters": {
        "effect": {
          "value": "[parameters('apiAppDisableRemoteDebuggingMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "functionAppDisableRemoteDebuggingMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
      "parameters": {
        "effect": {
          "value": "[parameters('functionAppDisableRemoteDebuggingMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "webAppDisableRemoteDebuggingMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
      "parameters": {
        "effect": {
          "value": "[parameters('webAppDisableRemoteDebuggingMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "apiAppEnforceHttpsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6",
      "parameters": {
        "effect": {
          "value": "[parameters('apiAppEnforceHttpsMonitoringEffectV2')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "functionAppEnforceHttpsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
      "parameters": {
        "effect": {
          "value": "[parameters('functionAppEnforceHttpsMonitoringEffectV2')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "webAppEnforceHttpsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
      "parameters": {
        "effect": {
          "value": "[parameters('webAppEnforceHttpsMonitoringEffectV2')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "apiAppRestrictCORSAccessMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac",
      "parameters": {
        "effect": {
          "value": "[parameters('apiAppRestrictCORSAccessMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "functionAppRestrictCORSAccessMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5",
      "parameters": {
        "effect": {
          "value": "[parameters('functionAppRestrictCORSAccessMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "webAppRestrictCORSAccessMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
      "parameters": {
        "effect": {
          "value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "vnetEnableDDoSProtectionMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd",
      "parameters": {
        "effect": {
          "value": "[parameters('vnetEnableDDoSProtectionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "sqlServerAdvancedDataSecurityMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
      "parameters": {
        "effect": {
          "value": "[parameters('sqlServerAdvancedDataSecurityMonitoringEffect')]"
        }
      }
    },
    {
      "policyDefinitionReferenceId": "sqlManagedInstanceAdvancedDataSecurityMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
      "parameters": {
        "effect": {
          "value": "[parameters('sqlManagedInstanceAdvancedDataSecurityMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-2",
        "Azure_Security_Benchmark_v2.0_DP-3",
        "Azure_Security_Benchmark_v2.0_LT-1",
        "Azure_Security_Benchmark_v2.0_LT-2",
        "Azure_Security_Benchmark_v2.0_IR-3",
        "Azure_Security_Benchmark_v2.0_IR-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "kubernetesServiceRbacEnabledMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
      "parameters": {
        "effect": {
          "value": "[parameters('kubernetesServiceRbacEnabledMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PA-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "kubernetesServiceAuthorizedIPRangesEnabledMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
      "parameters": {
        "effect": {
          "value": "[parameters('kubernetesServiceAuthorizedIPRangesEnabledMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1",
        "Azure_Security_Benchmark_v2.0_NS-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "vulnerabilityAssessmentOnServerMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
      "parameters": {
        "effect": {
          "value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-6"
      ]
    },
    {
      "policyDefinitionReferenceId": "vulnerabilityAssessmentOnManagedInstanceMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
      "parameters": {
        "effect": {
          "value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-6"
      ]
    },
    {
      "policyDefinitionReferenceId": "adaptiveNetworkHardeningsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6",
      "parameters": {
        "effect": {
          "value": "[parameters('adaptiveNetworkHardeningsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1",
        "Azure_Security_Benchmark_v2.0_NS-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "restrictAccessToManagementPortsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
      "parameters": {
        "effect": {
          "value": "[parameters('restrictAccessToManagementPortsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "disableIPForwardingMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744",
      "parameters": {
        "effect": {
          "value": "[parameters('disableIPForwardingMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1",
        "Azure_Security_Benchmark_v2.0_NS-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "ensureServerTDEIsEncryptedWithYourOwnKeyMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
      "parameters": {
        "effect": {
          "value": "[parameters('ensureServerTDEIsEncryptedWithYourOwnKeyMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260",
      "parameters": {
        "effect": {
          "value": "[parameters('ensureManagedInstanceTDEIsEncryptedWithYourOwnKeyMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "containerBenchmarkMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933",
      "parameters": {
        "effect": {
          "value": "[parameters('containerBenchmarkMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "ASCDependencyAgentAuditWindowsEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d",
      "parameters": {
        "effect": {
          "value": "[parameters('ASCDependencyAgentAuditWindowsEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "ASCDependencyAgentAuditLinuxEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602",
      "parameters": {
        "effect": {
          "value": "[parameters('ASCDependencyAgentAuditLinuxEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "AzureFirewallEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c",
      "parameters": {
        "effect": {
          "value": "[parameters('AzureFirewallEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1",
        "Azure_Security_Benchmark_v2.0_NS-4",
        "Azure_Security_Benchmark_v2.0_NS-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "ArcWindowsMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e",
      "parameters": {
        "effect": {
          "value": "[parameters('ArcWindowsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "ArcLinuxMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/842c54e8-c2f9-4d79-ae8d-38d8b8019373",
      "parameters": {
        "effect": {
          "value": "[parameters('ArcLinuxMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "keyVaultsAdvancedDataSecurityMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047",
      "parameters": {
        "effect": {
          "value": "[parameters('keyVaultsAdvancedDataSecurityMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-1",
        "Azure_Security_Benchmark_v2.0_LT-2",
        "Azure_Security_Benchmark_v2.0_IR-3",
        "Azure_Security_Benchmark_v2.0_IR-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "sqlServersAdvancedDataSecurityMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2",
      "parameters": {
        "effect": {
          "value": "[parameters('sqlServersAdvancedDataSecurityMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-2",
        "Azure_Security_Benchmark_v2.0_DP-3",
        "Azure_Security_Benchmark_v2.0_LT-1",
        "Azure_Security_Benchmark_v2.0_LT-2",
        "Azure_Security_Benchmark_v2.0_IR-3",
        "Azure_Security_Benchmark_v2.0_IR-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "sqlServersVirtualMachinesAdvancedDataSecurityMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b",
      "parameters": {
        "effect": {
          "value": "[parameters('sqlServersVirtualMachinesAdvancedDataSecurityMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-2",
        "Azure_Security_Benchmark_v2.0_DP-3",
        "Azure_Security_Benchmark_v2.0_LT-1",
        "Azure_Security_Benchmark_v2.0_LT-2",
        "Azure_Security_Benchmark_v2.0_IR-3",
        "Azure_Security_Benchmark_v2.0_IR-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "storageAccountsAdvancedDataSecurityMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa",
      "parameters": {
        "effect": {
          "value": "[parameters('storageAccountsAdvancedDataSecurityMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-2",
        "Azure_Security_Benchmark_v2.0_DP-3",
        "Azure_Security_Benchmark_v2.0_LT-1",
        "Azure_Security_Benchmark_v2.0_LT-2",
        "Azure_Security_Benchmark_v2.0_IR-3",
        "Azure_Security_Benchmark_v2.0_IR-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "appServicesAdvancedThreatProtectionMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb",
      "parameters": {
        "effect": {
          "value": "[parameters('appServicesAdvancedThreatProtectionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-1",
        "Azure_Security_Benchmark_v2.0_LT-2",
        "Azure_Security_Benchmark_v2.0_IR-3",
        "Azure_Security_Benchmark_v2.0_IR-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "containerRegistryAdvancedThreatProtectionMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25d9a16-bc35-4e15-a7e5-9db606bf9ed4",
      "parameters": {
        "effect": {
          "value": "[parameters('containerRegistryAdvancedThreatProtectionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-1",
        "Azure_Security_Benchmark_v2.0_LT-2",
        "Azure_Security_Benchmark_v2.0_IR-3",
        "Azure_Security_Benchmark_v2.0_IR-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "kubernetesServiceAdvancedThreatProtectionMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/523b5cd1-3e23-492f-a539-13118b6d1e3a",
      "parameters": {
        "effect": {
          "value": "[parameters('kubernetesServiceAdvancedThreatProtectionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-1",
        "Azure_Security_Benchmark_v2.0_LT-2",
        "Azure_Security_Benchmark_v2.0_IR-3",
        "Azure_Security_Benchmark_v2.0_IR-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "virtualMachinesAdvancedThreatProtectionMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d",
      "parameters": {
        "effect": {
          "value": "[parameters('virtualMachinesAdvancedThreatProtectionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-1",
        "Azure_Security_Benchmark_v2.0_LT-2",
        "Azure_Security_Benchmark_v2.0_IR-3",
        "Azure_Security_Benchmark_v2.0_IR-5",
        "Azure_Security_Benchmark_v2.0_ES-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "azurePolicyAddonStatus",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d",
      "parameters": {
        "effect": {
          "value": "[parameters('azurePolicyAddonStatusEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "ensureAllowedContainerImagesInKubernetesCluster",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469",
      "parameters": {
        "effect": {
          "value": "[parameters('allowedContainerImagesInKubernetesClusterEffect')]"
        },
        "allowedContainerImagesRegex": {
          "value": "[parameters('allowedContainerImagesInKubernetesClusterRegex')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('allowedContainerImagesNamespaceExclusion')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "privilegedContainersShouldBeAvoided",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
      "parameters": {
        "effect": {
          "value": "[parameters('privilegedContainersShouldBeAvoidedEffect')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('privilegedContainerNamespaceExclusion')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "allowedContainerPortsInKubernetesCluster",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc",
      "parameters": {
        "effect": {
          "value": "[parameters('allowedContainerPortsInKubernetesClusterEffect')]"
        },
        "allowedContainerPortsList": {
          "value": "[parameters('allowedContainerPortsInKubernetesClusterPorts')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('allowedContainerPortsInKubernetesClusterNamespaceExclusion')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "allowedServicePortsInKubernetesCluster",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44",
      "parameters": {
        "effect": {
          "value": "[parameters('allowedServicePortsInKubernetesClusterEffect')]"
        },
        "allowedServicePortsList": {
          "value": "[parameters('allowedservicePortsInKubernetesClusterPorts')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('allowedServicePortsInKubernetesClusterNamespaceExclusion')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "BlockVulnerableImagesInKubernetesCluster",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759",
      "parameters": {
        "effect": {
          "value": "[parameters('BlockVulnerableImagesInKubernetesClusterEffect')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('BlockVulnerableImagesInKubernetesClusterNamespaceExclusion')]"
        },
        "namespaces": {
          "value": "[parameters('BlockVulnerableImagesNamespaces')]"
        },
        "excludedImages": {
          "value": "[parameters('BlockVulnerableImagesExcludedImages')]"
        },
        "severityThresholdForExcludingNotPatchableFindings": {
          "value": "[parameters('BlockVulnerableImagesSeverityThresholdForExcludingNotPatchableFindings')]"
        },
        "excludeFindingIDs": {
          "value": "[parameters('BlockVulnerableImagesExcludeFindingIDs')]"
        },
        "severity": {
          "value": "[parameters('severity')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "memoryAndCPULimitsInKubernetesCluster",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164",
      "parameters": {
        "effect": {
          "value": "[parameters('memoryAndCPULimitsInKubernetesClusterEffect')]"
        },
        "cpuLimit": {
          "value": "[parameters('CPUInKubernetesClusterLimit')]"
        },
        "memoryLimit": {
          "value": "[parameters('memoryInKubernetesClusterLimit')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('memoryAndCPULimitsInKubernetesClusterNamespaceExclusion')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "MustRunAsNonRoot",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
      "parameters": {
        "effect": {
          "value": "[parameters('MustRunAsNonRootNamespaceEffect')]"
        },
        "runAsUserRule": {
          "value": "MustRunAsNonRoot"
        },
        "runAsUserRanges": {
          "value": {
            "ranges": []
          }
        },
        "runAsGroupRule": {
          "value": "MayRunAs"
        },
        "runAsGroupRanges": {
          "value": {
            "ranges": [
              {
                "min": 1,
                "max": 65535
              }
            ]
          }
        },
        "supplementalGroupsRule": {
          "value": "MayRunAs"
        },
        "supplementalGroupsRanges": {
          "value": {
            "ranges": [
              {
                "min": 1,
                "max": 65535
              }
            ]
          }
        },
        "fsGroupRule": {
          "value": "MayRunAs"
        },
        "fsGroupRanges": {
          "value": {
            "ranges": [
              {
                "min": 1,
                "max": 65535
              }
            ]
          }
        },
        "excludedNamespaces": {
          "value": "[parameters('MustRunAsNonRootNamespaceExclusion')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "arcEnabledKubernetesClustersShouldHaveAzureDefendersExtensionInstalled",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8dfab9c4-fe7b-49ad-85e4-1e9be085358f",
      "parameters": {
        "effect": {
          "value": "[parameters('arcEnabledKubernetesClustersShouldHaveAzureDefendersExtensionInstalled')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-1",
        "Azure_Security_Benchmark_v2.0_LT-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "azureKubernetesServiceClustersShouldHaveSecurityProfileEnabled",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01",
      "parameters": {
        "effect": {
          "value": "[parameters('azureKubernetesServiceClustersShouldHaveSecurityProfileEnabled')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "containerRegistryVulnerabilityAssessment",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0f936f-2f01-4bf5-b6be-d423792fa562",
      "parameters": {
        "effect": {
          "value": "[parameters('containerRegistryVulnerabilityAssessmentEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-6"
      ]
    },
    {
      "policyDefinitionReferenceId": "NoPrivilegeEscalationInKubernetesCluster",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
      "parameters": {
        "effect": {
          "value": "[parameters('NoPrivilegeEscalationInKubernetesClusterEffect')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('NoPrivilegeEscalationInKubernetesClusterNamespaceExclusion')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "NoSharingSensitiveHostNamespacesInKubernetes",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
      "parameters": {
        "effect": {
          "value": "[parameters('NoSharingSensitiveHostNamespacesInKubernetesEffect')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('NoSharingSensitiveHostNamespacesInKubernetesNamespaceExclusion')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "ReadOnlyRootFileSystemInKubernetesCluster",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80",
      "parameters": {
        "effect": {
          "value": "[parameters('ReadOnlyRootFileSystemInKubernetesClusterEffect')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('ReadOnlyRootFileSystemInKubernetesClusterNamespaceExclusion')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "AllowedCapabilitiesInKubernetesCluster",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
      "parameters": {
        "effect": {
          "value": "[parameters('AllowedCapabilitiesInKubernetesClusterEffect')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('AllowedCapabilitiesInKubernetesClusterNamespaceExclusion')]"
        },
        "allowedCapabilities": {
          "value": "[parameters('AllowedCapabilitiesInKubernetesClusterList')]"
        },
        "requiredDropCapabilities": {
          "value": "[parameters('DropCapabilitiesInKubernetesClusterList')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "AllowedAppArmorProfilesInKubernetesCluster",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/511f5417-5d12-434d-ab2e-816901e72a5e",
      "parameters": {
        "effect": {
          "value": "[parameters('AllowedAppArmorProfilesInKubernetesClusterEffect')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('AllowedAppArmorProfilesInKubernetesClusterNamespaceExclusion')]"
        },
        "allowedProfiles": {
          "value": "[parameters('AllowedAppArmorProfilesInKubernetesClusterList')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "AllowedHostNetworkingAndPortsInKubernetesCluster",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
      "parameters": {
        "effect": {
          "value": "[parameters('AllowedHostNetworkingAndPortsInKubernetesClusterEffect')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('AllowedHostNetworkingAndPortsInKubernetesClusterNamespaceExclusion')]"
        },
        "allowHostNetwork": {
          "value": "[parameters('AllowHostNetworkingInKubernetesCluster')]"
        },
        "minPort": {
          "value": "[parameters('AllowedHostMinPortInKubernetesCluster')]"
        },
        "maxPort": {
          "value": "[parameters('AllowedHostMaxPortInKubernetesCluster')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "AllowedHostPathVolumesInKubernetesCluster",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75",
      "parameters": {
        "effect": {
          "value": "[parameters('AllowedHostPathVolumesInKubernetesClusterEffect')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('AllowedHostPathVolumesInKubernetesClusterNamespaceExclusion')]"
        },
        "allowedHostPaths": {
          "value": "[parameters('AllowedHostPathVolumesInKubernetesClusterList')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "StorageDisallowPublicAccess",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
      "parameters": {
        "effect": {
          "value": "[parameters('disallowPublicBlobAccessEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "azureBackupShouldBeEnabledForVirtualMachinesMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d",
      "parameters": {
        "effect": {
          "value": "[parameters('azureBackupShouldBeEnabledForVirtualMachinesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_BR-1",
        "Azure_Security_Benchmark_v2.0_BR-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourFunctionAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
      "parameters": {
        "effect": {
          "value": "[parameters('managedIdentityShouldBeUsedInYourFunctionAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_IM-1",
        "Azure_Security_Benchmark_v2.0_IM-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "georedundantBackupShouldBeEnabledForAzureDatabaseForMariadbMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0",
      "parameters": {
        "effect": {
          "value": "[parameters('georedundantBackupShouldBeEnabledForAzureDatabaseForMariadbMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_BR-1",
        "Azure_Security_Benchmark_v2.0_BR-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourWebAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332",
      "parameters": {
        "effect": {
          "value": "[parameters('managedIdentityShouldBeUsedInYourWebAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_IM-1",
        "Azure_Security_Benchmark_v2.0_IM-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "georedundantBackupShouldBeEnabledForAzureDatabaseForPostgresqlMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430",
      "parameters": {
        "effect": {
          "value": "[parameters('georedundantBackupShouldBeEnabledForAzureDatabaseForPostgresqlMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_BR-1",
        "Azure_Security_Benchmark_v2.0_BR-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "ensureWEBAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609",
      "parameters": {
        "effect": {
          "value": "[parameters('ensureWEBAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "georedundantBackupShouldBeEnabledForAzureDatabaseForMysqlMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970",
      "parameters": {
        "effect": {
          "value": "[parameters('georedundantBackupShouldBeEnabledForAzureDatabaseForMysqlMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_BR-1",
        "Azure_Security_Benchmark_v2.0_BR-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourAPIAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
      "parameters": {
        "effect": {
          "value": "[parameters('latestTLSVersionShouldBeUsedInYourAPIAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticLogsInAppServicesShouldBeEnabledMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticLogsInAppServicesShouldBeEnabledMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "managedIdentityShouldBeUsedInYourAPIAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef",
      "parameters": {
        "effect": {
          "value": "[parameters('managedIdentityShouldBeUsedInYourAPIAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_IM-1",
        "Azure_Security_Benchmark_v2.0_IM-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "enforceSSLConnectionShouldBeEnabledForPostgresqlDatabaseServersMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af",
      "parameters": {
        "effect": {
          "value": "[parameters('enforceSSLConnectionShouldBeEnabledForPostgresqlDatabaseServersMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "enforceSSLConnectionShouldBeEnabledForMysqlDatabaseServersMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
      "parameters": {
        "effect": {
          "value": "[parameters('enforceSSLConnectionShouldBeEnabledForMysqlDatabaseServersMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourWebAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
      "parameters": {
        "effect": {
          "value": "[parameters('latestTLSVersionShouldBeUsedInYourWebAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "latestTLSVersionShouldBeUsedInYourFunctionAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
      "parameters": {
        "effect": {
          "value": "[parameters('latestTLSVersionShouldBeUsedInYourFunctionAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba",
      "parameters": {
        "effect": {
          "value": "[parameters('ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheWEBAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3",
      "parameters": {
        "effect": {
          "value": "[parameters('ensureThatPHPVersionIsTheLatestIfUsedAsAPartOfTheWEBAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed",
      "parameters": {
        "effect": {
          "value": "[parameters('ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc",
      "parameters": {
        "effect": {
          "value": "[parameters('ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39",
      "parameters": {
        "effect": {
          "value": "[parameters('ensureThatJavaVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73",
      "parameters": {
        "effect": {
          "value": "[parameters('ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheWebAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73",
      "parameters": {
        "effect": {
          "value": "[parameters('ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheFunctionAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16",
      "parameters": {
        "effect": {
          "value": "[parameters('ensureThatPythonVersionIsTheLatestIfUsedAsAPartOfTheApiAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-7"
      ]
    },
    {
      "policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForPostgresqlServersMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b",
      "parameters": {
        "effect": {
          "value": "[parameters('privateEndpointShouldBeEnabledForPostgresqlServersMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2",
        "Azure_Security_Benchmark_v2.0_NS-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForMariadbServersMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990",
      "parameters": {
        "effect": {
          "value": "[parameters('privateEndpointShouldBeEnabledForMariadbServersMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2",
        "Azure_Security_Benchmark_v2.0_NS-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "privateEndpointShouldBeEnabledForMysqlServersMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49",
      "parameters": {
        "effect": {
          "value": "[parameters('privateEndpointShouldBeEnabledForMysqlServersMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2",
        "Azure_Security_Benchmark_v2.0_NS-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "sQLServersShouldBeConfiguredWithAuditingRetentionDaysGreaterThan90DaysMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743",
      "parameters": {
        "effect": {
          "value": "[parameters('sQLServersShouldBeConfiguredWithAuditingRetentionDaysGreaterThan90DaysMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-6"
      ]
    },
    {
      "policyDefinitionReferenceId": "fTPSOnlyShouldBeRequiredInYourFunctionAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15",
      "parameters": {
        "effect": {
          "value": "[parameters('fTPSOnlyShouldBeRequiredInYourFunctionAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "fTPSShouldBeRequiredInYourWebAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
      "parameters": {
        "effect": {
          "value": "[parameters('fTPSShouldBeRequiredInYourWebAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "fTPSOnlyShouldBeRequiredInYourAPIAppMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5",
      "parameters": {
        "effect": {
          "value": "[parameters('fTPSOnlyShouldBeRequiredInYourAPIAppMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c",
      "parameters": {
        "effect": {
          "value": "[parameters('functionAppsShouldHaveClientCertificatesEnabledMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "cognitiveServicesAccountsShouldEnableDataEncryptionWithACustomerManagedKeyMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d",
      "parameters": {
        "effect": {
          "value": "[parameters('cognitiveServicesAccountsShouldEnableDataEncryptionWithACustomerManagedKeyMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "azureCosmosDbAccountsShouldUseCustomerManagedKeysToEncryptDataAtRestMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f",
      "parameters": {
        "effect": {
          "value": "[parameters('azureCosmosDbAccountsShouldUseCustomerManagedKeysToEncryptDataAtRestMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "keyVaultsShouldHavePurgeProtectionEnabledMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
      "parameters": {
        "effect": {
          "value": "[parameters('keyVaultsShouldHavePurgeProtectionEnabledMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_BR-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "keyVaultsShouldHaveSoftDeleteEnabledMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
      "parameters": {
        "effect": {
          "value": "[parameters('keyVaultsShouldHaveSoftDeleteEnabledMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_BR-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "azureCacheForRedisShouldResideWithinAVirtualNetworkMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d092e0a-7acd-40d2-a975-dca21cae48c4",
      "parameters": {
        "effect": {
          "value": "[parameters('azureCacheForRedisShouldResideWithinAVirtualNetworkMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "storageAccountsShouldUseCustomerManagedKeyForEncryptionMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25",
      "parameters": {
        "effect": {
          "value": "[parameters('storageAccountsShouldUseCustomerManagedKeyForEncryptionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "storageAccountsShouldRestrictNetworkAccessUsingVirtualNetworkRulesMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
      "parameters": {
        "effect": {
          "value": "[parameters('storageAccountsShouldRestrictNetworkAccessUsingVirtualNetworkRulesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "containerRegistriesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580",
      "parameters": {
        "effect": {
          "value": "[parameters('containerRegistriesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "containerRegistriesShouldNotAllowUnrestrictedNetworkAccessMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71",
      "parameters": {
        "effect": {
          "value": "[parameters('containerRegistriesShouldNotAllowUnrestrictedNetworkAccessMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "containerRegistriesShouldUsePrivateLinkMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4",
      "parameters": {
        "effect": {
          "value": "[parameters('containerRegistriesShouldUsePrivateLinkMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2",
        "Azure_Security_Benchmark_v2.0_NS-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "appConfigurationShouldUsePrivateLinkMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7",
      "parameters": {
        "effect": {
          "value": "[parameters('appConfigurationShouldUsePrivateLinkMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2",
        "Azure_Security_Benchmark_v2.0_NS-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "azureEventGridDomainsShouldUsePrivateLinkMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca",
      "parameters": {
        "effect": {
          "value": "[parameters('azureEventGridDomainsShouldUsePrivateLinkMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2",
        "Azure_Security_Benchmark_v2.0_NS-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "azureEventGridTopicsShouldUsePrivateLinkMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f",
      "parameters": {
        "effect": {
          "value": "[parameters('azureEventGridTopicsShouldUsePrivateLinkMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2",
        "Azure_Security_Benchmark_v2.0_NS-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "azureSignalRServiceShouldUsePrivateLinkMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53503636-bcc9-4748-9663-5348217f160f",
      "parameters": {
        "effect": {
          "value": "[parameters('azureSignalRServiceShouldUsePrivateLinkMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2",
        "Azure_Security_Benchmark_v2.0_NS-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "azureMachineLearningWorkspacesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8",
      "parameters": {
        "effect": {
          "value": "[parameters('azureMachineLearningWorkspacesShouldBeEncryptedWithACustomerManagedKeyMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "azureMachineLearningWorkspacesShouldUsePrivateLinkMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40cec1dd-a100-4920-b15b-3024fe8901ab",
      "parameters": {
        "effect": {
          "value": "[parameters('azureMachineLearningWorkspacesShouldUsePrivateLinkMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2",
        "Azure_Security_Benchmark_v2.0_NS-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "webApplicationFirewallShouldBeEnabledForAzureFrontDoorServiceServiceMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c",
      "parameters": {
        "effect": {
          "value": "[parameters('webApplicationFirewallShouldBeEnabledForAzureFrontDoorServiceServiceMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "webApplicationFirewallShouldBeEnabledForApplicationGatewayMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66",
      "parameters": {
        "effect": {
          "value": "[parameters('webApplicationFirewallShouldBeEnabledForApplicationGatewayMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForMariaDbServersMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077",
      "parameters": {
        "effect": {
          "value": "[parameters('publicNetworkAccessShouldBeDisabledForMariaDbServersMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForMySqlServersMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095",
      "parameters": {
        "effect": {
          "value": "[parameters('publicNetworkAccessShouldBeDisabledForMySqlServersMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "bringYourOwnKeyDataProtectionShouldBeEnabledForMySqlServersMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833",
      "parameters": {
        "effect": {
          "value": "[parameters('bringYourOwnKeyDataProtectionShouldBeEnabledForMySqlServersMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForPostgreSqlServersMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c",
      "parameters": {
        "effect": {
          "value": "[parameters('publicNetworkAccessShouldBeDisabledForPostgreSqlServersMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "bringYourOwnKeyDataProtectionShouldBeEnabledForPostgreSqlServersMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274",
      "parameters": {
        "effect": {
          "value": "[parameters('bringYourOwnKeyDataProtectionShouldBeEnabledForPostgreSqlServersMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "vmImageBuilderTemplatesShouldUsePrivateLinkMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa",
      "parameters": {
        "effect": {
          "value": "[parameters('vmImageBuilderTemplatesShouldUsePrivateLinkMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2",
        "Azure_Security_Benchmark_v2.0_NS-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "firewallShouldBeEnabledOnKeyVaultMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490",
      "parameters": {
        "effect": {
          "value": "[parameters('firewallShouldBeEnabledOnKeyVaultMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1",
        "Azure_Security_Benchmark_v2.0_NS-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "privateEndpointShouldBeConfiguredForKeyVaultMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0bc445-3935-4915-9981-011aa2b46147",
      "parameters": {
        "effect": {
          "value": "[parameters('privateEndpointShouldBeConfiguredForKeyVaultMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2",
        "Azure_Security_Benchmark_v2.0_NS-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "azureSpringCloudShouldUseNetworkInjectionMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4",
      "parameters": {
        "effect": {
          "value": "[parameters('azureSpringCloudShouldUseNetworkInjectionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "subscriptionsShouldHaveAContactEmailAddressForSecurityIssuesMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
      "parameters": {
        "effect": {
          "value": "[parameters('subscriptionsShouldHaveAContactEmailAddressForSecurityIssuesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_IR-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "autoProvisioningOfTheLogAnalyticsAgentShouldBeEnabledOnYourSubscriptionMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17",
      "parameters": {
        "effect": {
          "value": "[parameters('autoProvisioningOfTheLogAnalyticsAgentShouldBeEnabledOnYourSubscriptionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "emailNotificationForHighSeverityAlertsShouldBeEnabledMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899",
      "parameters": {
        "effect": {
          "value": "[parameters('emailNotificationForHighSeverityAlertsShouldBeEnabledMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_IR-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "emailNotificationToSubscriptionOwnerForHighSeverityAlertsShouldBeEnabledMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d",
      "parameters": {
        "effect": {
          "value": "[parameters('emailNotificationToSubscriptionOwnerForHighSeverityAlertsShouldBeEnabledMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_IR-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "storageAccountShouldUseAPrivateLinkConnectionMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9",
      "parameters": {
        "effect": {
          "value": "[parameters('storageAccountShouldUseAPrivateLinkConnectionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2",
        "Azure_Security_Benchmark_v2.0_NS-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "authenticationToLinuxMachinesShouldRequireSSHKeysMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6",
      "parameters": {
        "effect": {
          "value": "[parameters('authenticationToLinuxMachinesShouldRequireSSHKeysMonitoringEffect')]"
        },
        "IncludeArcMachines": {
          "value": "[parameters('windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsIncludeArcMachines')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_IM-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "privateEndpointConnectionsOnAzureSQLDatabaseShouldBeEnabledMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed",
      "parameters": {
        "effect": {
          "value": "[parameters('privateEndpointConnectionsOnAzureSQLDatabaseShouldBeEnabledMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-2",
        "Azure_Security_Benchmark_v2.0_NS-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "publicNetworkAccessOnAzureSQLDatabaseShouldBeDisabledMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780",
      "parameters": {
        "effect": {
          "value": "[parameters('publicNetworkAccessOnAzureSQLDatabaseShouldBeDisabledMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "ensureAPIAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886",
      "parameters": {
        "effect": {
          "value": "[parameters('ensureAPIAppHasClientCertificatesIncomingClientCertificatesSetToOnMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "kubernetesClustersShouldBeAccessibleOnlyOverHTTPSMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d",
      "parameters": {
        "effect": {
          "value": "[parameters('kubernetesClustersShouldBeAccessibleOnlyOverHTTPSMonitoringEffect')]"
        },
        "excludedNamespaces": {
          "value": "[parameters('kubernetesClustersShouldBeAccessibleOnlyOverHTTPSExcludedNamespaces')]"
        },
        "namespaces": {
          "value": "[parameters('kubernetesClustersShouldBeAccessibleOnlyOverHTTPSNamespaces')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112",
      "parameters": {
        "effect": {
          "value": "[parameters('windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsMonitoringEffect')]"
        },
        "IncludeArcMachines": {
          "value": "[parameters('windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsIncludeArcMachines')]"
        },
        "MinimumTLSVersion": {
          "value": "[parameters('windowsWebServersShouldBeConfiguredToUseSecureCommunicationProtocolsMinimumTLSVersion')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "cognitiveServicesAccountsShouldRestrictNetworkAccessMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
      "parameters": {
        "effect": {
          "value": "[parameters('cognitiveServicesAccountsShouldRestrictNetworkAccessMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "publicNetworkAccessShouldBeDisabledForCognitiveServicesAccountsMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca",
      "parameters": {
        "effect": {
          "value": "[parameters('publicNetworkAccessShouldBeDisabledForCognitiveServicesAccountsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "aPIManagementServicesShouldUseAVirtualNetworkMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b",
      "parameters": {
        "effect": {
          "value": "[parameters('aPIManagementServicesShouldUseAVirtualNetworkMonitoringEffect')]"
        },
        "evaluatedSkuNames": {
          "value": "[parameters('aPIManagementServicesShouldUseAVirtualNetworkEvaluatedSkuNames')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1"
      ]
    },
    {
      "policyDefinitionReferenceId": "azureCosmosDBAccountsShouldHaveFirewallRulesMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
      "parameters": {
        "effect": {
          "value": "[parameters('azureCosmosDBAccountsShouldHaveFirewallRulesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_NS-1",
        "Azure_Security_Benchmark_v2.0_NS-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "networkWatcherShouldBeEnabledMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
      "parameters": {
        "effect": {
          "value": "[parameters('networkWatcherShouldBeEnabledMonitoringEffect')]"
        },
        "resourceGroupName": {
          "value": "[parameters('networkWatcherShouldBeEnabledResourceGroupName')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "AzureDefenderForResourceManagerShouldBeEnabledMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99",
      "parameters": {
        "effect": {
          "value": "[parameters('AzureDefenderForResourceManagerShouldBeEnabledMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-1",
        "Azure_Security_Benchmark_v2.0_LT-2",
        "Azure_Security_Benchmark_v2.0_IR-3",
        "Azure_Security_Benchmark_v2.0_IR-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "AzureDefenderForDNSShouldBeEnabledMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bdc59948-5574-49b3-bb91-76b7c986428d",
      "parameters": {
        "effect": {
          "value": "[parameters('AzureDefenderForDNSShouldBeEnabledMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-1",
        "Azure_Security_Benchmark_v2.0_LT-2",
        "Azure_Security_Benchmark_v2.0_IR-3",
        "Azure_Security_Benchmark_v2.0_IR-5"
      ]
    },
    {
      "policyDefinitionReferenceId": "KubernetesClustersShouldNotUseTheDefaultNamespaceMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373",
      "parameters": {
        "effect": {
          "value": "[parameters('KubernetesClustersShouldNotUseTheDefaultNamespaceMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "KubernetesClustersShouldDisableAutomountingAPICredentialsMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423",
      "parameters": {
        "effect": {
          "value": "[parameters('KubernetesClustersShouldDisableAutomountingAPICredentialsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "KubernetesClustersShouldNotGrantCAPSYSADMINSecurityCapabilitiesMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626",
      "parameters": {
        "effect": {
          "value": "[parameters('KubernetesClustersShouldNotGrantCAPSYSADMINSecurityCapabilitiesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-2"
      ]
    },
    {
      "policyDefinitionReferenceId": "VtpmShouldBeEnabledOnSupportedVirtualMachinesMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c30f9cd-b84c-49cc-aa2c-9288447cc3b3",
      "parameters": {
        "effect": {
          "value": "[parameters('VtpmShouldBeEnabledOnSupportedVirtualMachinesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "previewSecureBootShouldBeEnabledOnSupportedWindowsVirtualMachinesMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/97566dd7-78ae-4997-8b36-1c7bfe0d8121",
      "parameters": {
        "effect": {
          "value": "[parameters('SecureBootShouldBeEnabledOnSupportedWindowsVirtualMachinesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/672fe5a1-2fcd-42d7-b85d-902b6e28c6ff",
      "parameters": {
        "effect": {
          "value": "[parameters('GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesScaleSetsMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a21f8c92-9e22-4f09-b759-50500d1d2dda",
      "parameters": {
        "effect": {
          "value": "[parameters('GuestAttestationExtensionShouldBeInstalledOnSupportedLinuxVirtualMachinesScaleSetsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cb4d9c2-f88f-4069-bee0-dba239a57b09",
      "parameters": {
        "effect": {
          "value": "[parameters('GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesScaleSetsMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f655e522-adff-494d-95c2-52d4f6d56a42",
      "parameters": {
        "effect": {
          "value": "[parameters('GuestAttestationExtensionShouldBeInstalledOnSupportedWindowsVirtualMachinesScaleSetsMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_PV-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "installEndpointProtection",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8",
      "parameters": {
        "effect": {
          "value": "[parameters('installEndpointProtectionMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_ES-2",
        "Azure_Security_Benchmark_v2.0_ES-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "endpointProtectionHealthIssuesMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2",
      "parameters": {
        "effect": {
          "value": "[parameters('endpointProtectionHealthIssuesMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_ES-2",
        "Azure_Security_Benchmark_v2.0_ES-3"
      ]
    },
    {
      "policyDefinitionReferenceId": "diagnosticsLogsInKubernetesMonitoring",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c",
      "parameters": {
        "effect": {
          "value": "[parameters('diagnosticsLogsInKubernetesMonitoringEffect')]"
        },
        "requiredRetentionDays": {
          "value": "[parameters('diagnosticsLogsInKubernetesRetentionDays')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_LT-4"
      ]
    },
    {
      "policyDefinitionReferenceId": "AzureDefenderForOpenSourceRelationalDatabasesShouldBeEnabledMonitoringEffect",
      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835",
      "parameters": {
        "effect": {
          "value": "[parameters('AzureDefenderForOpenSourceRelationalDatabasesShouldBeEnabledMonitoringEffect')]"
        }
      },
      "groupNames": [
        "Azure_Security_Benchmark_v2.0_DP-2",
        "Azure_Security_Benchmark_v2.0_DP-3",
        "Azure_Security_Benchmark_v2.0_LT-1",
        "Azure_Security_Benchmark_v2.0_LT-2",
        "Azure_Security_Benchmark_v2.0_IR-3",
        "Azure_Security_Benchmark_v2.0_IR-5"
      ]
    }
  ],
  "policyDefinitionGroups": [
    {
      "name": "Azure_Security_Benchmark_v2.0_NS-1",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-1"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_NS-2",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-2"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_NS-3",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-3"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_NS-4",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-4"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_NS-5",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-5"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_NS-6",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-6"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_NS-7",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_NS-7"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IM-1",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-1"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IM-2",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-2"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IM-3",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-3"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IM-4",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-4"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IM-5",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-5"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IM-6",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-6"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IM-7",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-7"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IM-8",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IM-8"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PA-1",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-1"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PA-2",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-2"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PA-3",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-3"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PA-4",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-4"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PA-5",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-5"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PA-6",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-6"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PA-7",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-7"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PA-8",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PA-8"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_DP-1",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-1"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_DP-2",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-2"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_DP-3",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-3"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_DP-4",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-4"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_DP-5",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_DP-5"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_AM-1",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-1"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_AM-2",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-2"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_AM-3",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-3"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_AM-4",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-4"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_AM-5",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-5"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_AM-6",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_AM-6"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_LT-1",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-1"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_LT-2",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-2"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_LT-3",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-3"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_LT-4",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-4"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_LT-5",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-5"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_LT-6",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-6"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_LT-7",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_LT-7"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IR-1",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-1"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IR-2",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-2"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IR-3",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-3"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IR-4",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-4"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IR-5",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-5"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_IR-6",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_IR-6"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PV-1",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-1"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PV-2",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-2"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PV-3",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-3"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PV-4",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-4"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PV-5",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-5"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PV-6",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-6"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PV-7",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-7"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_PV-8",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_PV-8"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_ES-1",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_ES-1"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_ES-2",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_ES-2"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_ES-3",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_ES-3"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_BR-1",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-1"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_BR-2",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-2"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_BR-3",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-3"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_BR-4",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_BR-4"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_GS-1",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-1"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_GS-2",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-2"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_GS-3",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-3"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_GS-4",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-4"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_GS-5",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-5"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_GS-6",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-6"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_GS-7",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-7"
    },
    {
      "name": "Azure_Security_Benchmark_v2.0_GS-8",
      "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v2.0_GS-8"
    }
  ]
}