Docs update tracker

Updates from: 03/14/2022 02:07:07

Service	Microsoft Docs article	Related commit history on GitHub	Change details
active-directory-b2c	Predicates	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/predicates.md	Previously updated : 03/30/2020 Last updated : 03/13/2022 The Parameter element contains the following attributes: #### IsLengthRange -The IsLengthRange method checks whether the length of a string claim value is within the range of minimum and maximum parameters specified. The predicate element supports the following parameters: +The IsLengthRange method checks whether the length of a string claim value is within the range of minimum and maximum parameters specified. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/predicates#islengthrange-method) of this predicate method. The predicate element supports the following parameters: \| Parameter \| Required \| Description \| \| - \| -- \| -- \| The following example shows a IsLengthRange method with the parameters `Minimum` #### MatchesRegex -The MatchesRegex method checks whether a string claim value matches a regular expression. The predicate element supports the following parameters: +The MatchesRegex method checks whether a string claim value matches a regular expression. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/predicates#matchesregex-method) of this predicate method. The predicate element supports the following parameters: \| Parameter \| Required \| Description \| \| - \| -- \| -- \| The following example shows a `MatchesRegex` method with the parameter `RegularE #### IncludesCharacters -The IncludesCharacters method checks whether a string claim value contains a character set. The predicate element supports the following parameters: +The IncludesCharacters method checks whether a string claim value contains a character set. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/predicates#includescharacters-method) of this predicate method. The predicate element supports the following parameters: \| Parameter \| Required \| Description \| \| - \| -- \| -- \| The following example shows a `IncludesCharacters` method with the parameter `Ch #### IsDateRange -The IsDateRange method checks whether a date claim value is between a range of minimum and maximum parameters specified. The predicate element supports the following parameters: +The IsDateRange method checks whether a date claim value is between a range of minimum and maximum parameters specified. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/predicates#isdaterange-method) of this predicate method. The predicate element supports the following parameters: \| Parameter \| Required \| Description \| \| - \| -- \| -- \|
active-directory-b2c	Session Behavior	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/session-behavior.md	Previously updated : 02/25/2022 Last updated : 03/13/2022 To configure the session behavior in your custom policy, follow these steps: ## Enable Keep me signed in (KMSI) -You can enable the KMSI feature for users of your web and native applications who have local accounts in your Azure AD B2C directory. When you enable the feature, users can opt to stay signed in so the session remains active after they close the browser. The session is maintained by setting a [persistent cookie](cookie-definitions.md). Users who select KMSI, can reopen the browser without being prompted to reenter their username and password. This access (persistent cookie) is revoked when a user signs out. +You can enable the KMSI feature for users of your web and native applications who have local accounts in your Azure AD B2C directory. When you enable the feature, users can opt to stay signed in so the session remains active after they close the browser. The session is maintained by setting a [persistent cookie](cookie-definitions.md). Users who select KMSI, can reopen the browser without being prompted to reenter their username and password. This access (persistent cookie) is revoked when a user signs out. For more information, check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/session#enable-keep-me-signed-in-kmsi). ![Example sign-up sign-in page showing a Keep me signed in checkbox](./media/session-behavior/keep-me-signed-in.png) To require an ID Token in logout requests: ::: zone pivot="b2c-custom-policy" -To require an ID Token in logout requests, add a UserJourneyBehaviors element inside of the [RelyingParty](relyingparty.md) element. Then set the EnforceIdTokenHintOnLogout of the SingleSignOn element to `true`. Your UserJourneyBehaviors element should look like this example: +To require an ID Token in logout requests, add a UserJourneyBehaviors element inside of the [RelyingParty](relyingparty.md) element. Then set the EnforceIdTokenHintOnLogout of the SingleSignOn element to `true`. For more information, check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/session#enforce-id-token-hint-on-logout). Your UserJourneyBehaviors element should look like this example: ```xml <UserJourneyBehaviors>
active-directory	Amazon Web Service Tutorial	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/amazon-web-service-tutorial.md	Previously updated : 02/28/2022 Last updated : 03/08/2022 Follow these steps to enable Azure AD SSO in the Azure portal. 1. In the Azure portal, on the AWS Single-Account Access application integration page, find the Manage section and select single sign-on. 1. On the Select a single sign-on method page, select SAML. -1. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings. +1. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings. ![Edit Basic SAML Configuration](common/edit-urls.png) In this section, you test your Azure AD single sign-on configuration with follow #### IDP initiated: -* Click on Test this application in Azure portal and you should be automatically signed in to the AWS Single-Account Access for which you set up the SSO +* Click on Test this application in Azure portal and you should be automatically signed in to the AWS Single-Account Access for which you set up the SSO. You can also use Microsoft My Apps to test the application in any mode. When you click the AWS Single-Account Access tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AWS Single-Account Access for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). - ## Known issues -* AWS Single-Account Access provisioning integration can be used only to connect to AWS public cloud endpoints. AWS Single-Account Access provisioning integration can't be used to access AWS Government environments. +* AWS Single-Account Access provisioning integration can be used only to connect to AWS public cloud endpoints. AWS Single-Account Access provisioning integration can't be used to access AWS Government environments, or the AWS China regions. * In the Provisioning section, the Mappings subsection shows a "Loading..." message, and never displays the attribute mappings. The only provisioning workflow supported today is the import of roles from AWS into Azure AD for selection during a user or group assignment. The attribute mappings for this are predetermined, and aren't configurable.
active-directory	Aws Single Sign On Tutorial	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/aws-single-sign-on-tutorial.md	Previously updated : 10/26/2021 Last updated : 03/10/2022 In this tutorial, you configure and test Azure AD SSO in a test environment. * AWS Single Sign-on supports [Automated user provisioning](./aws-single-sign-on-provisioning-tutorial.md). -## Adding AWS Single Sign-on from the gallery +## Add AWS Single Sign-on from the gallery To configure the integration of AWS Single Sign-on into Azure AD, you need to add AWS Single Sign-on from the gallery to your list of managed SaaS apps. To configure the integration of AWS Single Sign-on into Azure AD, you need to ad 1. In the Add from the gallery section, type AWS Single Sign-on in the search box. 1. Select AWS Single Sign-on from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for AWS Single Sign-on Configure and test Azure AD SSO with AWS Single Sign-on using a test user called B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in AWS Single Sign-on. Follow these steps to enable Azure AD SSO in the Azure portal. ![image2](common/browse-upload-metadata.png) - c. Once the metadata file is successfully uploaded, the Identifier and Reply URL values get auto populated in Basic SAML Configuration section: - - ![image3](common/idp-intiated.png) + c. Once the metadata file is successfully uploaded, the Identifier and Reply URL values get auto populated in Basic SAML Configuration section. > [!Note] > If the Identifier and Reply URL values are not getting auto populated, then fill in the values manually according to your requirement. -1. If you don't have Service Provider metadata file, perform the following steps on the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, enter the values for the following fields: + > [!Note] + > When changing identity provider in AWS (i.e. from AD to external provider such as Azure AD) the AWS metadata will change and need to be reuploaded to Azure for SSO to function correctly. + +1. If you don't have Service Provider metadata file, perform the following steps on the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, perform the following steps: a. In the Identifier text box, type a URL using the following pattern: `https://<REGION>.signin.aws.amazon.com/platform/saml/<ID>` Follow these steps to enable Azure AD SSO in the Azure portal. ![image](common/edit-attribute.png) - > [!NOTE] > If ABAC is enabled in AWS SSO, the additional attributes may be passed as session tags directly into AWS accounts. In this section, you'll enable B.Simon to use Azure single sign-on by granting a g. Choose Next: Groups. > [!NOTE] - > Make sure the username entered in AWS SSO matches the userΓÇÖs Azure AD sign-in name. This -will you help avoid any authentication problems. + > Make sure the username entered in AWS SSO matches the userΓÇÖs Azure AD sign-in name. This will you help avoid any authentication problems. 5. Choose Add user. 6. Next, you will assign the user to your AWS account. To do so, in the left navigation pane of the In this section, you test your Azure AD single sign-on configuration with follow #### IDP initiated: -* Click on Test this application in Azure portal and you should be automatically signed in to the AWS Single Sign-on for which you set up the SSO +* Click on Test this application in Azure portal and you should be automatically signed in to the AWS Single Sign-on for which you set up the SSO. You can also use Microsoft My Apps to test the application in any mode. When you click the AWS Single Sign-on tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AWS Single Sign-on for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). - ## Next steps -Once you configure AWS Single Sign-on you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). +Once you configure AWS Single Sign-on you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).
active-directory	Fortiweb Web Application Firewall Tutorial	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/fortiweb-web-application-firewall-tutorial.md	Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with FortiWeb Web Application Firewall \| Microsoft Docs' + Title: 'Tutorial: Azure AD SSO integration with FortiWeb Web Application Firewall' description: Learn how to configure single sign-on between Azure Active Directory and FortiWeb Web Application Firewall. Previously updated : 11/24/2020 Last updated : 03/11/2020 -# Tutorial: Azure Active Directory single sign-on (SSO) integration with FortiWeb Web Application Firewall +# Tutorial: Azure AD SSO integration with FortiWeb Web Application Firewall In this tutorial, you'll learn how to integrate FortiWeb Web Application Firewall with Azure Active Directory (Azure AD). When you integrate FortiWeb Web Application Firewall with Azure AD, you can: To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * FortiWeb Web Application Firewall single sign-on (SSO) enabled subscription. +> [!NOTE] +> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud. + ## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
active-directory	Tribeloo Tutorial	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/tribeloo-tutorial.md	Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Tribeloo \| Microsoft Docs' + Title: 'Tutorial: Azure AD SSO integration with Tribeloo' description: Learn how to configure single sign-on between Azure Active Directory and Tribeloo. Previously updated : 09/02/2021 Last updated : 03/11/2021 -# Tutorial: Azure Active Directory single sign-on (SSO) integration with Tribeloo +# Tutorial: Azure AD SSO integration with Tribeloo In this tutorial, you'll learn how to integrate Tribeloo with Azure Active Directory (Azure AD). When you integrate Tribeloo with Azure AD, you can: To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * Tribeloo single sign-on (SSO) enabled subscription. +> [!NOTE] +> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud. + ## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
active-directory	Memo 22 09 Authorization	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/memo-22-09-authorization.md	+ + Title: Memo 22-09 authorization requirements +description: Guidance on meeting authorization requirements outlined in US government OMB memorandum 22-09 +++++++++ Last updated : 3/10/2022++++ +# Meet authorization requirements for Memorandum 22-09 + +This series of articles offer guidance for employing Azure Active Directory (Azure AD) as a centralized identity management system for implementing Zero Trust principles as described by the US Federal GovernmentΓÇÖs Office of Management and Budget (OMB) [Memorandum M-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf). Throughout this document. We refer to it as ΓÇ£The memo.ΓÇ¥ + +[Memorandum M-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf) requires specific types of enforcement within your MFA policies. Specifically, you must account for device-based, role-based, attribute-based controls, and privileged access management. + + + +## Device-based controls + +M-22-09 specifically requires the use of at least one device-based signal when making an authorization decision to access a system or application. This requirement can be enforced using Conditional Access and there are several device signals that can be applied during the authorization. The following table describes the signal and the requirements to retrieve the signal: + +\| Signal\| Signal retrieval \| +\| - \| - \| +\| Device must be managed\| Integration with Intune or another MDM that supports this integration are required. +Hybrid Azure AD joined since the device is managed by active directory also qualifies \| +\| Device must be compliant\| Integration with Intune or other MDMΓÇÖs that support this integration are required. For more information, see [Use device compliance policies to set rules for devices you manage with Intune](/mem/intune/protect/device-compliance-get-started) \| +\| Threat signals\| Microsoft Defender for Endpoint and other EDR tools have integrations with Azure AD and Intune to send threat signals that can be used to deny access. Threat signals are part of the compliant status signal \| +\| Cross tenant access policies\| permits an organization to trust device signals from devices belonging to other organizations. (public preview) \| + +## Role-based access controls + +Role based access control (RBAC role) remains an important way to enforce basic authorizations through assignments of users to a role in a particular scope. Azure AD has tools that make RBAC assignment and lifecycle management easier. This includes assigning access using [entitlement management](../governance/entitlement-management-overview.md) features, include [Access Packages](../governance/entitlement-management-access-package-create.md) and [Access Reviews](../governance/access-reviews-overview.md). These ease the burden of managing authorizations by providing self-service requests and automated functions to managed the lifecycle, for example by automatically ending access based of specific criteria. + +## Attribute-based controls + +Attribute based access controls rely on metadata assigned to a user or resource as a mechanism to permit or deny access during authentication. There are several ways you can create authorizations using ABAC enforcements for data and resources through authentication. + +### Attributes assigned to users + +Attributes assigned to users and stored in Azure AD can be leveraged to create authorizations for users. This is achieved through the automatic assignment of users to [Dynamic Groups](../enterprise-users/groups-create-rule.md) based on a particular ruleset defined during group creation. Rules are configured to add or remove a user from the group based on the evaluation of the rule against the user and one or more of their attributes. This feature has greater value when your attributes are maintained and not statically set on users from the day of creation. + +### Attributes assigned to data + +Azure AD allows integration of an authorization directly to the data. You can create integrate authorization in multiple ways. + +You can configure [authentication context](../conditional-access/concept-conditional-access-cloud-apps.md) within Conditional Access Policies. This allows you to, for example, restrict which actions a user can take within an application or on specific data. These authentication contexts are then mapped within the data source itself. Data sources can be office files like word and excel or SharePoint sites that use mapped to your authentication context. An example of this integration is shown [here](/sharepoint/authentication-context-example). + +You can also leverage authentication context assigned to data directly in your applications. This requires integration with the application code and [developers](../develop/developer-guide-conditional-access-authentication-context.md) to adopt this capability. Authentication context integration with Microsoft Defender for Cloud Apps can be used to control [actions taken on data using session controls](/defender-cloud-apps/session-policy-aad). Dynamic groups mentioned previously when combined with Authentication context allow you to control user access mappings between the data and the user attributes. + +### Attributes assigned to resources + +Azure includes [ABAC for Storage](../../role-based-access-control/conditions-overview.md) which allows the assignment of metadata tags on data stored in an Azure blob storage account. This metadata can then be assigned to users using role assignments to grant access. + +## Privileged Access Management + +The memo specifically calls out the use of privileged access management tools that leverage single factor ephemeral credentials for accessing systems as insufficient. These technologies often include password vault products that accept MFA logon for an admin and produce a generated password for an alternate account used to access the system. The system being accessed is still accessed with a single factor. Microsoft has tools for implementing [Privileged identity management](../privileged-identity-management/pim-configure.md) (PIM) for privileged systems with the central identity management system of Azure AD. Using the methods described in the MFA section you can enforce MFA for most privileged systems directly, whether these are applications, infrastructure, or devices. Azure also features PIM capabilities to step up into a specific privileged role. This requires implementation of PIM with Azure AD identities and identifying those systems that are privileged and require additional protections to prevent lateral movement. Configuration guidance is located [here](../privileged-identity-management/pim-deployment-plan.md). + +## Next steps + +The following articles are a part of this documentation set: + +[Meet identity requirements of Memorandum 22-09](memo-22-09-meet-identity-requirements.md) + +[Enterprise-wide identity management system](memo-22-09-enterprise-wide-identity-management-system.md) + +[Multi-factor authentication](memo-22-09-multi-factor-authentication.md) + +[Authorization](memo-22-09-authorization.md) + +[Other areas of Zero Trust](memo-22-09-other-areas-zero-trust.md) + +Additional Zero Trust Documentation + +[Securing identity with Zero Trust](/security/zero-trust/deploy/identity)
active-directory	Memo 22 09 Enterprise Wide Identity Management System	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/memo-22-09-enterprise-wide-identity-management-system.md	+ + Title: Memo 22-09 enterprise-wide identity management systems +description: Guidance on meeting enterprise-wide identity management system requirements outlined in US government OMB memorandum 22-09 +++++++++ Last updated : 3/10/2022++++ +# Enterprise-wide identity management system + +M-22-09 requires agencies to develop a plan to consolidate their identity platforms to ΓÇ£as few agency managed identity systems as possibleΓÇ¥ within 60 days of publication, March 28, 2022. There are several advantages to consolidating your identity platform: + +* Centralized management of identity lifecycle, policy enforcement, and auditable controls. + +* Uniform capability and parity of enforcement. + +* Reduced need to train resources across multiple systems. + +* Enable users to sign in once and then directly access applications and services in the IT environment. + +* Integrate with as many agency applications as possible. + +* Facilitate integration among agencies using shared authentication services and trust relationships + + + +## Why Azure Active Directory? + +Azure Active Directory provides the capabilities necessary to implement the recommendations from M-22-09 as well as other broad identity controls that support Zero Trust initiatives. Additionally, if your agency uses Microsoft Office 365, you already have an Azure AD back end to which you can consolidate. + +## Single sign-on requirements + +The memo requires that users sign in once and then directly access applications. MicrosoftΓÇÖs robust single-sign-on capabilities enable the ability for users to sign-in once and then access cloud and other applications. For more information, see [Azure Active Directory Single sign-on](../hybrid/how-to-connect-sso.md). + +### Integration across agencies + +[Azure AD B2B collaboration](../external-identities/what-is-b2b.md) (B2B) helps you to meet the requirement to facilitate integration among agencies. It does this by both limiting what other Microsoft tenants your users can access, and by enabling you to allow access to users that you do not have to manage in your own tenant, but whom you can subject to your MFA and other access requirements. + +## Connect applications + +To consolidate your enterprise to using Azure AD as the enterprise-wide identity system, you must first understand the relevant assets that will be in scope. + +### Document applications and services + +To do so, you must inventory the applications and services that users will be accessing: An identity management system can protect only what it knows. Assets must be classified in terms of the sensitivity of data they contain, as well as laws and regulations that establish specific requirements for confidentiality, integrity, or availability of data/information in each major system and that apply to the systemΓÇÖs particular information protection requirements. + +### Classifying applications and services + +As a part of your application inventory, you will need to determine if your current applications use ΓÇ£cloud readyΓÇ¥ or legacy authentication protocols + +* Cloud ready applications support modern protocols for authentication such as SAML, WS-Federation/Trust, OpenID Connect (OIDC), and OAuth 2.0. + +* Legacy authentication applications rely on legacy or proprietary methods of authentication to include but not limited to Kerberos/NTLM (windows authentication), header based, LDAP, and basic authentication. + +#### Tools for application and service discovery + +Microsoft makes available several tools to help with your discovery of applications. + +\| Tool\| Usage \| +\| - \| - \| +\| [Usage Analytics for AD FS](../hybrid/how-to-connect-health-adfs.md)\| Analyzes the authentication traffic of your federated servers. \| +\| [Microsoft Defender for Cloud Apps](%20/defender-cloud-apps/what-is-defender-for-cloud-apps) (MDCA)\| Previously known as Microsoft Cloud App Security (MCAS), Defender for Cloud Apps scans firewall logs to detect cloud apps, IaaS and PaaS services used by your organization. Integrating MDCA with Defender for Endpoint allows discovery to happen from data analyzed from window client devices. \| +\| [Application Documentation worksheet](https://download.microsoft.com/download/2/8/3/283F995C-5169-43A0-B81D-B0ED539FB3DD/Application%20Discovery%20worksheet.xlsx)\| Helps you document the current states of your applications \| + +We recognize that your apps may be in systems other than Microsoft, and that our tools may not discover those apps. Ensure you do a complete inventory. All providers should have mechanisms for discovering applications using their services. + +#### Prioritize applications for connection + +Once you discover all applications in your environment, you will need to prioritize them for migration. You should consider business criticality, user profiles, usage, and lifespan. + +For more information on prioritizing applications for migration, see [Migrating your applications to Azure Active Directory](https://aka.ms/migrateapps/whitepaper). + +First, connect your cloud-ready apps in priority order. Then look at applications using legacy authentication protocols. + +For apps using [legacy authentication protocols](../fundamentals/auth-sync-overview.md), consider the following: + +* For apps with modern authentication not yet using Azure AD, reconfigure them to use Azure AD. + +* For apps without modern authentication, there are two choices: + + * Modernize the application code to use modern protocols by integrating the [Microsoft Authentication Library (MSAL).](../develop/v2-overview.md) + + * [Use Azure AD Application Proxy or Secure hybrid partner access](../manage-apps/secure-hybrid-access.md) to provide secure access. + +* Decommission access to apps that are no longer needed, or are not supported (for example, apps added by shadow IT processes). Also have an alarm for + +## Connect devices + +Part of centralizing your identity management system will include enabling sign-in to devices. This enables users to sign in to physical and virtual devices. + +You can connect Windows and Linux devices in your centralized Azure AD system, eliminating the need to have multiple, separate identity systems. + +During your inventory and scope phase you should consider identifying your devices and infrastructure so they may be integrated with Azure AD to centralize your authentication and management and take advantage of conditional access policies and MFA that can be enforced through Azure AD. + +### Tools for discovering devices + +You can leverage [Azure automation accounts](../../automation/change-tracking/manage-inventory-vms.md) to identify devices through inventory collection connected to Azure monitor. + +[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide) (MDE) also features device inventory capabilities and discovery. This feature looks at devices that have MDE configured as well as network discovery of devices not configured with MDE. Device inventory may also come from on-premises systems such as [Configuration manager](/mem/configmgr/core/clients/manage/inventory/introduction-to-hardware-inventory) to do device inventory or other 3<sup data-htmlnode="">rd</sup> party systems used to manage devices and clients. + +### Integrate devices to Azure AD + +Devices integrated with Azure AD can either be [hybrid joined devices](../devices/concept-azure-ad-join-hybrid.md) or [Azure Active directory joined devices](../devices/concept-azure-ad-join-hybrid.md). Agencies should separate device onboarding by client and end user devices and physical and virtual machines that operate as infrastructure. For more information about choosing and implementing your end-user device deployment strategy, see [Plan your Azure AD device deployment](../devices/plan-device-deployment.md). For servers and infrastructure consider the following examples for connecting: + +* [Azure windows VMΓÇÖs](../devices/howto-vm-sign-in-azure-ad-windows.md) + +* [Azure Linux VMΓÇÖs](../devices/howto-vm-sign-in-azure-ad-linux.md) + +* [VDI infrastructure](../devices/howto-device-identity-virtual-desktop-infrastructure.md) + +## Next steps + +The following articles are a part of this documentation set: + +[Meet identity requirements of Memorandum 22-09](memo-22-09-meet-identity-requirements.md) + +[Enterprise-wide identity management system](memo-22-09-enterprise-wide-identity-management-system.md) + +[Multi-factor authentication](memo-22-09-multi-factor-authentication.md) + +[Authorization](memo-22-09-authorization.md) + +[Other areas of Zero Trust](memo-22-09-other-areas-zero-trust.md) + +Additional Zero Trust Documentation + +[Securing identity with Zero Trust](/security/zero-trust/deploy/identity)
active-directory	Memo 22 09 Meet Identity Requirements	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/memo-22-09-meet-identity-requirements.md	+ + Title: Memo 22-09 identity requirements overview +description: Guidance on meeting requirements outlined in US government OMB memorandum 22-09 +++++++++ Last updated : 3/10/2022++++ +# Meeting identity requirements of Memorandum 22-09 with Azure Active Directory + +This series of articles offer guidance for employing Azure Active Directory (Azure AD) as a centralized identity management system for implementing Zero Trust principles as described by the US Federal GovernmentΓÇÖs Office of Management and Budget (OMB) [Memorandum M-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf). Throughout this document wee refer to it as "The memo." + +The release of Memorandum 22-09 is designed to support Zero trust initiatives within federal agencies; it also provides regulatory guidance in supporting Federal Cybersecurity and Data Privacy Laws. The Memo cites the [Department of Defense (DoD) Zero Trust Reference Architecture](https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf), + +"The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction." + +The Memo identifies five core goals that must be reached by federal agencies. These goals are organized using the Cybersecurity Information Systems Architecture (CISA) Maturity Model. CISAΓÇÖs zero trust model describes five complementary areas of effort ΓÇô or pillars: Identity, Devices, Networks, Applications and Workloads, and Data; with three themes that cut across these areas (Visibility and Analytics, Automation and Orchestration, and Governance). + +## Scope of guidance + +This series of articles provides practical guidance for administrators and decision makers to adapt a plan to meet memo requirements. It assumes that you are using Microsoft 365 products, and therefore have an Azure Active Directory tenant available. If this is inaccurate, see [Access & create new tenant](../fundamentals/active-directory-access-create-new-tenant.md). + +It features guidance encompassing existing agency investments in Microsoft technologies that align with the identity-related actions outlined in the memo: + +* Agencies must employ centralized identity management systems for agency users that +can be integrated into applications and common platforms. ++ +* Agencies must use strong multi-factor authentication (MFA) throughout their enterprise. + + * MFA must be enforced at the application layer, instead of the network layer. + + * For agency staff, contractors, and partners, phishing-resistant MFA is required. + + * For public users, phishing-resistant MFA must be an option. + +* Password policies must not require the use of special characters or regular rotation. + +* When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user. + + +## Next steps + +The following articles are a part of this documentation set: + +[Meet identity requirements of Memorandum 22-09](memo-22-09-meet-identity-requirements.md) + +[Enterprise-wide identity management system](memo-22-09-enterprise-wide-identity-management-system.md) + +[Multi-factor authentication](memo-22-09-multi-factor-authentication.md) + +[Authorization](memo-22-09-authorization.md) + +[Other areas of Zero Trust](memo-22-09-other-areas-zero-trust.md) + +Additional Zero Trust Documentation + +[Securing identity with Zero Trust](/security/zero-trust/deploy/identity)
active-directory	Memo 22 09 Multi Factor Authentication	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/memo-22-09-multi-factor-authentication.md	+ + Title: Memo 22-09 multi-factor authentication requirements overview +description: Guidance on meeting multi-factor authentication requirements outlined in US government OMB memorandum 22-09 +++++++++ Last updated : 3/10/2022++++ +# Multi-factor authentication + +This series of articles offer guidance for employing Azure Active Directory (Azure AD) as a centralized identity management system for implementing Zero Trust principles as described by the US Federal GovernmentΓÇÖs Office of Management and Budget (OMB) [Memorandum M-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf). Throughout this document we refer to it as "The Memo." + +The Memo requires that all employees use enterprise-managed identities to access applications, and that phishing-resistant multi-factor authentication (MFA) protect those personnel from sophisticated online attacks. Phishing is the attempt to obtain and compromise credentials, for example through sending a spoofed email that leads to an inauthentic site. + +Adoption of MFA is critical to preventing unauthorized access to accounts and data. The Memo requires MFA usage with phishing resistant methods, defined as "authentication processes designed to detect and prevent disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system." The first step is to establish what MFA methods qualify as phishing resistant. + +## Phishing resistant methods + +* AD FS as a federated identity provider configured with Certificate Based Authentication + +* Azure AD Certificate Based Authentication + +* FIDO2 security keys + +* Windows Hello for Business + +* Microsoft Authenticator + Conditional access policies that enforce managed or compliant devices to access the application or service + + * Microsoft Authenticator native phishing resistance is in development. + +### MFA requirements by method + +Your current device capabilities, user personas, and other requirements may dictate specific multi-factor methods. For example, if you are adopting FIDO2 security keys that have only USB-C support, they can only be leveraged from devices with USB-C ports. + +Consider an approach to evaluating phishing resistant MFA methods that encompasses the following aspects: + +* Device types and capabilities you wish to support + +* Examples: Kiosks, laptops, mobile phones, biometric readers, USB, Bluetooth, NFC, etc. + +* The user personas within your organization + + * Examples: Front line workers, remote workers with and without company owned hardware, Administrators with privileged access workstation, B2B guest users, etc. + +* Logistics of distributing, configuring, and registering MFA methods such as FIDO 2.0 security keys, smart cards, government furnished equipment, or Windows devices with TPM chips. + +* Need for FIPS 140 validation at a specific [authenticator assurance level](nist-about-authenticator-assurance-levels.md) (AAL). + + * For example, some FIDO security keys are FIPS 140-validated at levels required for [AAL3](nist-authenticator-assurance-level-3.md) as set by [NIST SP 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html). + +## Implementation considerations for phishing resistant MFA + +The following describes support for implementing phishing resistant methods mentioned previously for both application and virtual device sign-in scenarios. + +### Application sign-in scenarios from different clients + +The following table details the availability of phishing-resistant MFA scenarios based on the device type being used to sign-in to the applications. ++ +\| Devices \| AD FS as a federated IDP configured with certificate-based authentication\| Azure AD certificate-based authentication\| FIDO 2.0 security keys\| Windows hello for Business\| Microsoft authenticator + CA for managed devices \| +\| - \| - \| - \| - \| - \| - \| +\| Windows device\| ![Checkmark with solid fill](media/memo-22-09/check.jpg)\| ![Checkmark with solid fill](media/memo-22-09/check.jpg)\| ![Checkmark with solid fill](media/memo-22-09/check.jpg)\| ![Checkmark with solid fill](media/memo-22-09/check.jpg)\| ![Checkmark with solid fill](media/memo-22-09/check.jpg) \| +\| iOS mobile device\| ![Checkmark with solid fill](media/memo-22-09/check.jpg)\| ![Checkmark with solid fill](media/memo-22-09/check.jpg)\| N/A\| N/A\| ![Checkmark with solid fill](media/memo-22-09/check.jpg) \| +\| Android mobile device\| ![Checkmark with solid fill](media/memo-22-09/check.jpg)\| ![Checkmark with solid fill](media/memo-22-09/check.jpg)\| N/A\| N/A\| ![Checkmark with solid fill](media/memo-22-09/check.jpg) \| +\| MacOS device\| ![Checkmark with solid fill](media/memo-22-09/check.jpg)\| ![Checkmark with solid fill](media/memo-22-09/check.jpg)\| Edge/Chrome (Safari coming later)\| N/A\| ![Checkmark with solid fill](media/memo-22-09/check.jpg) \| + +To learn more, see [Browser support for Fido 2.0 passwordless authentication](../authentication/fido2-compatibility.md). + +### Virtual device sign-in scenarios requiring integration + +To enforce the use of phishing resistant MFA methods, integration may be necessary based on your requirements. MFA should be enforced both when users access applications and devices. + +For each of the five phishing-resistant MFA types previously mentioned, you use the same capabilities to access the following device types: + +\| Target System\| Integration Actions \| +\| - \| - \| +\| Azure Linux VM\| Enable the [Linux VM for Azure AD sign-in](../devices/howto-vm-sign-in-azure-ad-linux.md) \| +\| Azure Windows VM\| Enable the [Windows VM for Azure AD sign-in](../devices/howto-vm-sign-in-azure-ad-windows.md) \| +\| Azure Virtual Desktop\| Enable [Azure virtual desktop for Azure AD sign-in](https://docs.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-azure-active-directory-join) \| +\| VMs hosted on-prem or in other clouds\| Enable [Azure Arc](../../azure-arc/overview.md) on the VM then enable Azure AD sign-in. (Currently in private preview for Linux. Support for Windows VMs hosted in these environments is on our roadmap.) \| +\| Non-Microsoft virtual desktop solutions\| Integrate 3rd party virtual desktop solution as an app in Azure AD \| ++ +### Enforcing phishing-resistant MFA + +Conditional Access enables you to enforce MFA for users in your tenant. With the addition of Cross Tenant Access Policies, you can enforce it on external users. + +#### Enforcement across agencies + +[Azure AD B2B collaboration](../external-identities/what-is-b2b.md) (B2B) helps you to meet the requirement to facilitate integration among agencies. It does this by both limiting what other Microsoft tenants your users can access, and by enabling you to allow access to users that you do not have to manage in your own tenant, but whom you can subject to your MFA and other access requirements. + +You must enforce MFA for partners and external users who access your organizationΓÇÖs resources. This is common in many inter-agency collaboration scenarios. Azure AD provides [Cross Tenant Access Policies (XTAP)](../external-identities/cross-tenant-access-overview.md) to help you configure MFA for external users accessing your applications and resources. XTAP uses trust settings that allow you to trust the MFA method used by the guest userΓÇÖs tenant instead of having them register an MFA method directly with your tenant. These policies can be configured on a per organization basis. This requires you to understand the available MFA methods in the userΓÇÖs home tenant and determine if they meet the requirement for phishing resistance. + +## Password policies + +The memo requires organizations to change password policies that have proven to be ineffective, such as complex passwords that are rotated often. This includes the removal of the requirement for special characters and numbers as well as time-based password rotation policies. Instead, consider doing the following: + +* Use [password protection](..//authentication/concept-password-ban-bad.md) to enforce a common list Microsoft maintains of weak passwords. You can also add custom banned passwords. + +* Use [self-service password protection](..//authentication/tutorial-enable-sspr.md) (SSPR) to enable users to reset passwords as needed, for example after an account recovery. + +* Use [Azure AD Identity Protection](..//identity-protection/concept-identity-protection-risks.md) to be alerted about compromised credentials so you can take immediate action. + +While the memo isnΓÇÖt specific on which policies to use with passwords consider the standard from [NIST 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html). + +## Next steps +The following articles are a part of this documentation set: + +[Meet identity requirements of Memorandum 22-09](memo-22-09-meet-identity-requirements.md) + +[Enterprise-wide identity management system](memo-22-09-enterprise-wide-identity-management-system.md) + +[Multi-factor authentication](memo-22-09-multi-factor-authentication.md) + +[Authorization](memo-22-09-authorization.md) + +[Other areas of Zero Trust](memo-22-09-other-areas-zero-trust.md) + +Additional Zero Trust Documentation + +[Securing identity with Zero Trust](/security/zero-trust/deploy/identity)
active-directory	Memo 22 09 Other Areas Zero Trust	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/memo-22-09-other-areas-zero-trust.md	+ + Title: Memo 22-09 other areas of Zero Trust +description: Guidance on understanding other Zero Trust requirements outlined in US government OMB memorandum 22-09 +++++++++ Last updated : 3/10/2022++++ +# Other areas of zero trust addressed in Memo 22-09 + +This other articles in this guidance set address the identity pillar of Zero Trust principles as described by the US Federal GovernmentΓÇÖs Office of Management and Budget (OMB) [Memorandum M-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf). There are areas of the zero trust maturity model that cover topics beyond the identity pillar. + +This article addresses the following cross-cutting themes: + +* Visibility and analytics + +* Automation and orchestration + +* Governance + +## Visibility +It's important to monitor your Azure AD tenant. You must adopt an "assume breach" mindset and meet compliance standards set forth in [Memorandum M-22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf) and [Memorandum M-21-31](https://www.whitehouse.gov/wp-content/uploads/2021/M-21-31). There are three primary log types used for security analysis and ingestion: + +* [Azure Audit Log.](../reports-monitoring/concept-audit-logs.md) Used to monitor operational activities of the directory itself such as creating, deleting, updating objects like users or groups, as well as making changes to configurations of Azure AD like modifications to a conditional access policy. + +* [Azure AD Sign-In Logs.](../reports-monitoring/concept-all-sign-ins.md) Used to monitor all sign-in activities associated with users, applications, and service principals. The sign-in logs contain specific categories of sign-ins for easy differentiation: + + * Interactive sign-ins: Shows user successful and failed sign-ins for failures, the policies that may have been applied, and other relevant metadata. + + * Non-interactive user sign-ins: Shows sign-ins where a user did not perform an interaction during sign-in. These sign-ins are typically clients signing in on behalf of the user, such as mobile applications or email clients. + + * Service principal sign-ins: Shows sign-ins by service principals or applications.Ttypically these are headless, and done by services or applications accessing other services, applications, or Azure AD directory itself through REST API. + + * Managed identities for azure resource sign-ins: Shows sign-ins from resources with Azure Managed Identities. Typically these are Azure resources or applications accessing other Azure resources, such as a web application service authenticating to an Azure SQL backend. + +* [Provisioning Logs.](../reports-monitoring/concept-provisioning-logs.md) Shows information about objects synchronized from Azure AD to applications like Service Now by using SCIM. + +Log entries are stored for 7 days in Azure AD free tenants. Tenants with an Azure AD premium license retain log entries for 30 days. ItΓÇÖs important to ensure your logs are ingested by a SIEM tool. Using a SIEM allows sign-in and audit events to be correlated with application, infrastructure, data, device, and network logs for a holistic view of your systems. Microsoft recommends integrating your Azure AD logs with [Microsoft Sentinel](../../sentinel/overview.md) by configuring a connector to ingest your Azure AD tenant Logs. +For more information, see [Connect Azure Active Directory to Sentinel](../../sentinel/connect-azure-active-directory.md). +You can also configure the [diagnostic settings](../reports-monitoring/overview-monitoring.md) on your Azure AD tenant to send the data to either a Storage account, EventHub, or Log analytics workspace. These storage options allow you to integrate other SIEM tools to collect the data. For more information, see [Plan reports & monitoring deployment](../reports-monitoring/plan-monitoring-and-reporting.md). + +## Analytics + +Analytics can be used to aggregate information from Azure AD to show trends in your security posture in comparison to your baseline. Analytics can also be used as the way to assess and look for patterns or threats across Azure AD. + +* [Azure AD Identity Protection.](../identity-protection/overview-identity-protection.md) Identity protection actively analyses sign-ins and other telemetry sources for risky behavior. Identity protection assigns a risk score to a sign-in event. You can prevent sign-ins, or force a step-up authentication, to access a resource or application based on risk score. + +* [Microsoft Sentinel.](../../sentinel/get-visibility.md) Sentinel has many ways in which information from Azure AD can be analyzed. + + * Microsoft Sentinel has [User and Entity Behavioral Analytics (UEBA)](../../sentinel/identify-threats-with-entity-behavior-analytics.md). UEBA delivers high-fidelity, actionable intelligence on potential threats involving user, hosts, IP addresses, and application entities. This enhances events across the enterprise to help detect anomalous behavior in users and systems. + + * Specific analytics rule templates that hunt for threats and alerts found in information in your Azure AD logs. Your security or operation analyst can then triage and remediate threats. + + * Microsoft Sentinel has [workbooks](../../sentinel/top-workbooks.md) available that help visualize multiple Azure AD data sources. These include workbooks that show aggregate sign-ins by country, or applications with the most sign-ins. You can also create or modify existing workbooks to view information or threats in a dashboard to gain insights. + +* [Azure AD usage and insights report.](../reports-monitoring/concept-usage-insights-report.md) These reports show information similar to sentinel workbooks, including which applications have the highest usage or logon trends over a given time period. These are useful for understanding aggregate trends in your enterprise which may indicate an attack or other events. + +## Automation and orchestration + +Automation is an important aspect of Zero Trust, particularly in remediation of alerts that may occur due to threats or security changes in your environment. In Azure AD, automation integrations are possible to help remediate alerts or perform actions that can improve your security posture. Automations are based on information received from monitoring and analytics. +[Microsoft Graph API](../develop/microsoft-graph-intro.md) REST calls are the most common way to programmatically access Azure AD. This API-based access requires an Azure AD identity with the necessary authorizations and scope. With the Graph API, you can integrate Microsoft's and other tools. Microsoft recommends you set up an Azure function or Azure Logic App to use a [System Assigned Managed Identity](../managed-identities-azure-resources/overview.md). Your logic app or function contains the steps or code necessary to automate the desired actions. You assign permissions to the managed identity to grant the service principal the necessary directory permissions to perform the required actions. Grant managed identities only the minimum rights necessary. With the Graph API, you can integrate third party tools. Follow the principles outlined in this article when performing your integration. +Another automation integration point is [Azure AD PowerShell](/powershell/azure/active-directory/overview?view=azureadps-2.0) modules. PowerShell is a useful automation tool for administrators and IT integrators performing common tasks or configurations in Azure AD. PowerShell can also be incorporated into Azure functions or Azure automation runbooks. + +## Governance + +It is important that you understand and document clear processes for how you intend to operate your Azure AD environment. Azure AD has several features that allow for governance-like functionality to be applied to scopes within Azure AD. Consider the following guidance to help with governance with Azure AD. + +* [Azure Active Directory governance operations reference guide](../fundamentals/active-directory-ops-guide-govern.md). +* [Azure Active Directory security operations guide](../fundamentals/security-operations-introduction.md) can help you secure your operations and understand how security and governance overlap. +* Once you understand operational governance, you can use [governance features](../governance/identity-governance-overview.md) to implement portions of your governance controls. These include features mentioned in [Authorization for Memo 22-09](memo-22-09-authorization.md). + + +## Next steps + +The following articles are a part of this documentation set: + +[Meet identity requirements of Memorandum 22-09](memo-22-09-meet-identity-requirements.md) + +[Enterprise-wide identity management system](memo-22-09-enterprise-wide-identity-management-system.md) + +[Multi-factor authentication](memo-22-09-multi-factor-authentication.md) + +[Authorization](memo-22-09-authorization.md) + +[Other areas of Zero Trust](memo-22-09-other-areas-zero-trust.md) + +Additional Zero Trust Documentation + +[Securing identity with Zero Trust](/security/zero-trust/deploy/identity)
aks	Gpu Cluster	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/gpu-cluster.md	Last updated 08/06/2021 # Use GPUs for compute-intensive workloads on Azure Kubernetes Service (AKS) -Graphical processing units (GPUs) are often used for compute-intensive workloads such as graphics and visualization workloads. AKS supports the creation of GPU-enabled node pools to run these compute-intensive workloads in Kubernetes. For more information on available GPU-enabled VMs, see [GPU optimized VM sizes in Azure][gpu-skus]. For AKS node pools, we recommend a minimum size of Standard_NC6. +Graphical processing units (GPUs) are often used for compute-intensive workloads such as graphics and visualization workloads. AKS supports the creation of GPU-enabled node pools to run these compute-intensive workloads in Kubernetes. For more information on available GPU-enabled VMs, see [GPU optimized VM sizes in Azure][gpu-skus]. For AKS node pools, we recommend a minimum size of Standard_NC6. Note that the NVv4 series (based on AMD GPUs) are not yet supported with AKS. > [!NOTE] > GPU-enabled VMs contain specialized hardware that is subject to higher pricing and region availability. For more information, see the [pricing][azure-pricing] tool and [region availability][azure-availability]. For information on using Azure Kubernetes Service with Azure Machine Learning, s [azureml-aks]: ../machine-learning/how-to-deploy-azure-kubernetes-service.md [azureml-gpu]: ../machine-learning/how-to-deploy-inferencing-gpus.md [azureml-triton]: ../machine-learning/how-to-deploy-with-triton.md -[aks-container-insights]: monitor-aks.md#container-insights +[aks-container-insights]: monitor-aks.md#container-insights
aks	Integrations	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/integrations.md	The below table shows a few examples of open-source and third-party integrations [helm-qs]: quickstart-helm.md [prometheus]: https://prometheus.io/ [prometheus-helm-chart]: https://github.com/prometheus-community/helm-charts#usage -[prometheus-az-monitor]: /monitor-aks.md#container-insights +[prometheus-az-monitor]: monitor-aks.md#container-insights [istio]: https://istio.io/ [istio-install]: https://istio.io/latest/docs/setup/install/ [linkerd]: https://linkerd.io/ The below table shows a few examples of open-source and third-party integrations [spark-job]: spark-job.md [azure-ml-overview]: ../machine-learning/how-to-attach-arc-kubernetes.md [dapr-overview]: ./dapr.md -[gitops-overview]: ../azure-arc/kubernetes/conceptual-gitops-flux2.md +[gitops-overview]: ../azure-arc/kubernetes/conceptual-gitops-flux2.md
aks	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Kubernetes Service (AKS) description: Lists Azure Policy Regulatory Compliance controls available for Azure Kubernetes Service (AKS). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
aks	Use Tags	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-tags.md	Title: Use Azure tags in Azure Kubernetes Service (AKS) -description: Learn how to use Azure provider tags to track resources in Azure Kubernetes Service (AKS) +description: Learn how to use Azure provider tags to track resources in Azure Kubernetes Service (AKS). Last updated 02/08/2022 Last updated 02/08/2022 # Use Azure tags in Azure Kubernetes Service (AKS) -AKS has the ability to set Azure tags on the cluster and its related resources using the Azure Resource Manager, such as the Azure CLI. For some resources, you can also use Kubernetes manifests to set Azure tags. Azure tags are useful tracking resource usage for things like charge back. +With Azure Kubernetes Service (AKS), you can set Azure tags on an AKS cluster and its related resources by using Azure Resource Manager, through the Azure CLI. For some resources, you can also use Kubernetes manifests to set Azure tags. Azure tags are a useful tracking resource for certain business processes, such as chargeback. -This article explains how Azure tags set for AKS clusters and related resources. +This article explains how to set Azure tags for AKS clusters and related resources. ## Before you begin -Setting and updating Azure tags with AKS clusters and their related resources work as follows: +It's a good idea to understand what happens when you set and update Azure tags with AKS clusters and their related resources. For example: -* Tags set on an AKS cluster apply those tags to all resources related to the cluster, but not the node pools. This operation will overwrite the value of existing keys. -* Tags set on a node pool apply those tags to only resources related to that node pool. This operation will overwrite the value of existing keys. Resources outside that node pool, including resources for the rest of the cluster and other node pools, are unaffected. -* Public IPs, files, and disks can have tags set by Kubernetes using a Kubernetes manifest. Tags set in this way will maintain the Kubernetes value, even if later updates are made to those tags using another method. When public IPs, files, or disks are removed through Kubernetes, any tags set by Kubernetes are removed. Tags that are not tracked by Kubernetes on those resources remain unaffected. +* Tags set on an AKS cluster apply to all resources that are related to the cluster, but not the node pools. This operation overwrites the values of existing keys. +* Tags set on a node pool apply only to resources related to that node pool. This operation overwrites the values of existing keys. Resources outside that node pool, including resources for the rest of the cluster and other node pools, are unaffected. +* Public IPs, files, and disks can have tags set by Kubernetes through a Kubernetes manifest. Tags set in this way will maintain the Kubernetes values, even if you update them later by using another method. When public IPs, files, or disks are removed through Kubernetes, any tags that are set by Kubernetes are removed. Tags on those resources that aren't tracked by Kubernetes remain unaffected. + +### Prerequisites + +* The Azure CLI version 2.0.59 or later, installed and configured. + + To find your version, run┬á`az --version`. If you need to install it or update your version, see┬á[Install Azure CLI][install-azure-cli]. +* Kubernetes version 1.20 or later, installed. ### Limitations -* Azure tags have keys which are case-insensitive for operations, such as when retrieving a tag by searching the key. In this case a tag with the given key will be updated or retrieved regardless of casing. Tag values are case-sensitive. -* In AKS, if multiple tags are set with identical keys but different casing, the tag used is the first in alphabetical order. For example, `{"Key1": "val1", "kEy1": "val2", "key1": "val3"}` results in `Key1` and `val1` being set. -* You need the Azure CLI version 2.0.59 or later installed and configured. Run┬á`az --version` to find the version. If you need to install or upgrade, see┬á[Install Azure CLI][install-azure-cli]. -* Kubernetes version 1.20 or newer is required. +* Azure tags have keys that are case-insensitive for operations, such as when you're retrieving a tag by searching the key. In this case, a tag with the specified key will be updated or retrieved regardless of casing. Tag values are case-sensitive. +* In AKS, if multiple tags are set with identical keys but different casing, the tags are used in alphabetical order. For example, `{"Key1": "val1", "kEy1": "val2", "key1": "val3"}` results in `Key1` and `val1` being set. * For shared resources, tags aren't able to determine the split in resource usage on their own. -## Adding tags to the cluster +## Add tags to the cluster -When you create or update a cluster with the `--tags` parameter, the following are assigned the Azure tags you specified: +When you create or update an AKS cluster with the `--tags` parameter, the following are assigned the Azure tags that you've specified: -* the AKS cluster -* the route table associated with the cluster -* the public IP associated with the cluster -* the network security group associated with the cluster -* the virtual network associated with the cluster +* The AKS cluster +* The route table that's associated with the cluster +* The public IP that's associated with the cluster +* The network security group that's associated with the cluster +* The virtual network that's associated with the cluster -To create a cluster and assign Azure tags, use the `az aks create` with the `--tags` parameter. The following command creates a myAKSCluster in the myResourceGroup with the tags dept=IT and costcenter=9999. +To create a cluster and assign Azure tags, run `az aks create` with the `--tags` parameter, as shown in the following command. Running the command creates a myAKSCluster in the myResourceGroup with the tags dept=IT and costcenter=9999. > [!NOTE] -> To set tags on the initial node pool, node resource group, the virtual machine scale set, and each virtual machine scale set instance associated with the initial node pool, also set the `--nodepool-tags` parameter. +> To set tags on the initial node pool, the node resource group, the virtual machine scale set, and each virtual machine scale set instance that's associated with the initial node pool, also set the `--nodepool-tags` parameter. ```azurecli-interactive az aks create \ az aks create \ ``` > [!IMPORTANT] -> In cases where you are using existing resources when creating a new cluster, such as an IP address or route table, `az aks create` overwrites the set of tags. If you later delete that cluster, any tags set by the cluster will be removed. +> If you're using existing resources when you're creating a new cluster, such as an IP address or route table, `az aks create` overwrites the set of tags. If you delete that cluster later, any tags set by the cluster will be removed. -Verify the tags have been applied to the cluster and related resources. The following example shows the cluster tags for myAKSCluster. +Verify that the tags have been applied to the cluster and related resources. The cluster tags for myAKSCluster are shown in the following example: ```output $ az aks show -g myResourceGroup -n myAKSCluster --query '[tags]' $ az aks show -g myResourceGroup -n myAKSCluster --query '[tags]' } ``` -To update the tags on an existing cluster, use `az aks update` with the `--tags` parameter. The following command updates the myAKSCluster with the tags team=alpha and costcenter=1234. +To update the tags on an existing cluster, run `az aks update` with the `--tags` parameter. Running the command updates the myAKSCluster with the tags team=alpha and costcenter=1234. ```azurecli-interactive az aks update \ --tags team=alpha costcenter=1234 ``` -Verify the tags have been applied to the cluster. For example: +Verify that the tags have been applied to the cluster. For example: ```output $ az aks show -g myResourceGroup -n myAKSCluster --query '[tags]' $ az aks show -g myResourceGroup -n myAKSCluster --query '[tags]' ``` > [!IMPORTANT] -> Setting tags on a cluster using `az aks update` overwrites the set of tags. For example, if your cluster had the tags dept=IT and costcenter=9999 and you used `az aks update` with the tags team=alpha and costcenter=1234, the new list of tags would be team=alpha and costcenter=1234. +> Setting tags on a cluster by using `az aks update` overwrites the set of tags. For example, if your cluster has the tags dept=IT and costcenter=9999 and you use `az aks update` with the tags team=alpha and costcenter=1234, the new list of tags would be team=alpha and costcenter=1234. ## Adding tags to node pools -You can apply an Azure tag to a new or existing node pool in your AKS cluster. Tags applied to a node pool are applied to each node within the node pool and are persisted through upgrades. Tags are also applied to new nodes added to a node pool during scale-out operations. Adding a tag can help with tasks such as policy tracking or cost estimation. +You can apply an Azure tag to a new or existing node pool in your AKS cluster. Tags applied to a node pool are applied to each node within the node pool and are persisted through upgrades. Tags are also applied to new nodes that are added to a node pool during scale-out operations. Adding a tag can help with tasks such as policy tracking or cost estimation. -When you create or update a node pool with the `--tags` parameter, the following are assigned the Azure tags you specified: +When you create or update a node pool with the `--tags` parameter, the tags that you specify are assigned to the following resources: -* the node pool -* the node resource group -* the virtual machine scale set and each virtual machine scale set instance associated with the node pool +* The node pool +* The node resource group +* The virtual machine scale set and each virtual machine scale set instance that's associated with the node pool -To create a node pool with an Azure tag, use `az aks nodepool add` with the `--tags` parameter. The following example creates a tagnodepool node pool with the tags abtest=a and costcenter=5555 in the myAKSCluster. +To create a node pool with an Azure tag, run `az aks nodepool add` with the `--tags` parameter. Running the following command creates a tagnodepool node pool with the tags abtest=a and costcenter=5555 in the myAKSCluster. ```azurecli-interactive az aks nodepool add \ az aks nodepool add \ --no-wait ``` -Verify the tags have been applied to the tagnodepool node pool. +Verify that the tags have been applied to the tagnodepool node pool. ```output $ az aks show -g myResourceGroup -n myAKSCluster --query 'agentPoolProfiles[].{nodepoolName:name,tags:tags}' $ az aks show -g myResourceGroup -n myAKSCluster --query 'agentPoolProfiles[].{n ] ``` -To update a node pool with an Azure tag, use `az aks nodepool update` with the `--tags` parameter. The following example updates tagnodepool node pool with the tags appversion=0.0.2 and costcenter=4444 in the myAKSCluster, which already has the tags abtest=a and costcenter=5555. +To update a node pool with an Azure tag, run `az aks nodepool update` with the `--tags` parameter. Running the following command updates the tagnodepool node pool with the tags appversion=0.0.2 and costcenter=4444 in the myAKSCluster, which already has the tags abtest=a and costcenter=5555. ```azurecli-interactive az aks nodepool update \ az aks nodepool update \ ``` > [!IMPORTANT] -> Setting tags on a node pool using `az aks nodepool update` overwrites the set of tags. For example, if your node pool had the tags abtest=a and costcenter=5555 and you used `az aks nodepool update` with the tags appversion=0.0.2 and costcenter=4444, the new list of tags would be appversion=0.0.2 and costcenter=4444. +> Setting tags on a node pool by using `az aks nodepool update` overwrites the set of tags. For example, if your node pool has the tags abtest=a and costcenter=5555, and you use `az aks nodepool update` with the tags appversion=0.0.2 and costcenter=4444, the new list of tags would be appversion=0.0.2 and costcenter=4444. -Verify the tags have been updated on the nodepool. +Verify that the tags have been updated on the nodepool. ```output $ az aks show -g myResourceGroup -n myAKSCluster --query 'agentPoolProfiles[].{nodepoolName:name,tags:tags}' $ az aks show -g myResourceGroup -n myAKSCluster --query 'agentPoolProfiles[].{n ] ``` -## Adding tags using Kubernetes +## Add tags by using Kubernetes -You can apply Azure tags to public IPs, disks, and files using a Kubernetes manifest. +You can apply Azure tags to public IPs, disks, and files by using a Kubernetes manifest. -For public IPs, use service.beta.kubernetes.io/azure-pip-tags, for example: +For public IPs, use service.beta.kubernetes.io/azure-pip-tags. For example: ```yml apiVersion: v1 spec: ... ``` -For files and disks, use tags under parameters, for example: +For files and disks, use tags under parameters. For example: ```yml parameters: ``` > [!IMPORTANT] -> Setting tags on files, disks, and public IPs using Kubernetes updates the set of tags. For example, if your disk has the tags dept=IT and costcenter=5555, and you used Kubernetes to set the tags team=beta and costcenter=3333, the new list of tags would be dept=IT, team=beta, and costcenter=3333. +> Setting tags on files, disks, and public IPs by using Kubernetes updates the set of tags. For example, if your disk has the tags dept=IT and costcenter=5555, and you use Kubernetes to set the tags team=beta and costcenter=3333, the new list of tags would be dept=IT, team=beta, and costcenter=3333. > -> Any updates made to tags through Kubernetes will retain the value set through kubernetes. For example, if your disk has tags dept=IT and costcenter=5555 set by Kubernetes, and you used the portal to set the tags team=beta and costcenter=3333, the new list of tags would be dept=IT, team=beta, and costcenter=5555. If you then removed the disk through Kubernetes, the disk would have the tag team=beta. +> Any updates that you make to tags through Kubernetes will retain the value that's set through Kubernetes. For example, if your disk has tags dept=IT and costcenter=5555 set by Kubernetes, and you use the portal to set the tags team=beta and costcenter=3333, the new list of tags would be dept=IT, team=beta, and costcenter=5555. If you then remove the disk through Kubernetes, the disk would have the tag team=beta. [install-azure-cli]: /cli/azure/install-azure-cli
api-management	Backends	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/backends.md	API Management also supports using other Azure resources as an API backend, such Custom backends require extra configuration to authorizeΓÇ»the credentials of requests toΓÇ»theΓÇ»backendΓÇ»service and define API operations. Configure and manage custom backends in the Azure portal, or using Azure APIs or tools. -After creating a backend, youΓÇ»canΓÇ»reference the backend URL in your APIs. Use the [`set-backend-service`](api-management-transformation-policies.md#SetBackendService) policy to redirect an incoming API request to the custom backend instead of the default backend for that API. +After creating a backend, youΓÇ»canΓÇ»reference the backend in your APIs. Use the [`set-backend-service`](api-management-transformation-policies.md#SetBackendService) policy to redirect an incoming API request to the custom backend instead of the default backend for that API. + +> [!NOTE] +> When you use the `set-backend-service` policy to redirect requests to a custom backend, refer to the backend by its identifier (`backend-id`), not by its URL. ## Benefits of backends
api-management	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure API Management description: Lists Azure Policy Regulatory Compliance controls available for Azure API Management. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
app-service	Configure Language Python	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-language-python.md	Existing web applications can be redeployed to Azure as follows: 1. Source repository: Maintain your source code in a suitable repository like GitHub, which enables you to set up continuous deployment later in this process. 1. Your requirements.txt file must be at the root of your repository for App Service to automatically install the necessary packages. -1. Database: If your app depends on a database, provision the necessary resources on Azure as well. See [Tutorial: Deploy a Django web app with PostgreSQL - create a database](tutorial-python-postgresql-app.md#3-create-postgres-database-in-azure) for an example. +1. Database: If your app depends on a database, provision the necessary resources on Azure as well. See [Tutorial: Deploy a Django web app with PostgreSQL - create a database](tutorial-python-postgresql-app.md#3create-the-postgresql-database-in-azure) for an example. -1. App service resources: Create a resource group, App Service Plan, and App Service web app to host your application. You can most easily do this by doing an initial deployment of your code through the Azure CLI command `az webapp up`, as shown on [Tutorial: Deploy a Django web app with PostgreSQL - deploy the code](tutorial-python-postgresql-app.md#4-deploy-the-code-to-azure-app-service). Replace the names of the resource group, App Service Plan, and the web app to be more suitable for your application. +1. App service resources: Create a resource group, App Service Plan, and App Service web app to host your application. You can most easily do this by doing an initial deployment of your code through the Azure CLI command [`az webapp up`](/cli/azure/webapp?az-webapp-up). Or, you can create and deploy resources as shown in [Tutorial: Deploy a Django web app with PostgreSQL](tutorial-python-postgresql-app.md). Replace the names of the resource group, App Service Plan, and the web app to be more suitable for your application. 1. Environment variables: If your application requires any environment variables, create equivalent [App Service application settings](configure-common.md#configure-app-settings). These App Service settings appear to your code as environment variables, as described on [Access environment variables](#access-app-settings-as-environment-variables). - - Database connections, for example, are often managed through such settings, as shown in [Tutorial: Deploy a Django web app with PostgreSQL - configure variables to connect the database](tutorial-python-postgresql-app.md#42-configure-environment-variables-to-connect-the-database). + - Database connections, for example, are often managed through such settings, as shown in [Tutorial: Deploy a Django web app with PostgreSQL - configure variables to connect the database](tutorial-python-postgresql-app.md#5connect-the-web-app-to-the-database). - See [Production settings for Django apps](#production-settings-for-django-apps) for specific settings for typical Django apps. 1. App startup: Review the section, [Container startup process](#container-startup-process) later in this article to understand how App Service attempts to run your app. App Service uses the Gunicorn web server by default, which must be able to find your app object or wsgi.py folder. If needed, you can [Customize the startup command](#customize-startup-command). 1. Continuous deployment: Set up continuous deployment, as described on [Continuous deployment to Azure App Service](deploy-continuous-deployment.md) if using Azure Pipelines or Kudu deployment, or [Deploy to App Service using GitHub Actions](./deploy-continuous-deployment.md) if using GitHub actions. -1. Custom actions: To perform actions within the App Service container that hosts your app, such as Django database migrations, you can [connect to the container through SSH](configure-linux-open-ssh-session.md). For an example of running Django database migrations, see [Tutorial: Deploy a Django web app with PostgreSQL - run database migrations](tutorial-python-postgresql-app.md#43-run-django-database-migrations). +1. Custom actions: To perform actions within the App Service container that hosts your app, such as Django database migrations, you can [connect to the container through SSH](configure-linux-open-ssh-session.md). For an example of running Django database migrations, see [Tutorial: Deploy a Django web app with PostgreSQL - run database migrations](tutorial-python-postgresql-app.md#7migrate-app-database). - When using continuous deployment, you can perform those actions using post-build commands as described earlier under [Customize build automation](#customize-build-automation). With these steps completed, you should be able to commit changes to your source repository and have those updates automatically deployed to App Service. When attempting to run database migrations with a Django app, you may see "sqlit Check the `DATABASES` variable in the app's settings.py file to ensure that your app is using a cloud database instead of SQLite. -If you're encountering this error with the sample in [Tutorial: Deploy a Django web app with PostgreSQL](tutorial-python-postgresql-app.md), check that you completed the steps in [Configure environment variables to connect the database](tutorial-python-postgresql-app.md#42-configure-environment-variables-to-connect-the-database). +If you're encountering this error with the sample in [Tutorial: Deploy a Django web app with PostgreSQL](tutorial-python-postgresql-app.md), check that you completed the steps in [Configure environment variables to connect the database](tutorial-python-postgresql-app.md#5connect-the-web-app-to-the-database). #### Other issues
app-service	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure App Service description: Lists Azure Policy Regulatory Compliance controls available for Azure App Service. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
app-service	Tutorial Python Postgresql App	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-python-postgresql-app.md	Title: 'Tutorial: Deploy a Python Django app with Postgres' -description: Create a Python web app with a PostgreSQL database and deploy it to Azure. The tutorial uses the Django framework and the app is hosted on Azure App Service on Linux. + Title: 'Tutorial: Deploy a Python Django or Flask web app with PostgreSQL' +description: Create a Python Django or Flask web app with a PostgreSQL database and deploy it to Azure. The tutorial uses either the Django or Flask framework and the app is hosted on Azure App Service on Linux. ++ ms.devlang: python Previously updated : 02/22/2022 Last updated : 03/09/2022 -zone_pivot_groups: postgres-server-options -# Tutorial: Deploy a Django web app with PostgreSQL in Azure App Service +# Deploy a Python (Django or Flask) web app with PostgreSQL in Azure -This tutorial shows how to deploy a data-driven Python [Django](https://www.djangoproject.com/) web app to [Azure App Service](overview.md) and connect it to an Azure Database for Postgres database. You can also select the option above to try the PostgresSQL Flexible Server. Flexible Server provides a simpler deployment mechanism and lower ongoing costs. +In this tutorial, you will deploy a data-driven Python web app ([Django](https://www.djangoproject.com/) or [Flask](https://flask.palletsprojects.com/)) with the [Azure Database for PostgreSQL](/azure/postgresql/) relational database service. The Python app is hosted in a fully managed [Azure App Service](/azure/app-service/overview#app-service-on-linux) which supports [Python 3.7 or higher](https://www.python.org/downloads/) in a Linux server environment. You can start with a basic pricing tier that can be scaled up at any later time. -In this tutorial, you use the Azure CLI to complete the following tasks: -> [!div class="checklist"] -> * Set up your initial environment with Python and the Azure CLI. -> * Create an Azure Database for PostgreSQL database. -> * Deploy code to Azure App Service and connect to PostgreSQL. -> * Update your code and redeploy. -> * View diagnostic logs. -> * Manage the web app in the Azure portal. +To complete this tutorial, you'll need: -You can also use the [Azure portal version of this tutorial](/azure/developer/python/tutorial-python-postgresql-app-portal?pivots=postgres-single-server). +* An Azure account with an active subscription exists. If you do not have an Azure account, you [can create one for free](https://azure.microsoft.com/free/python). +* Knowledge of Python with Flask development or [Python with Django development](/learn/paths/django-create-data-driven-websites/) +* [Python 3.7 or higher](https://www.python.org/downloads/) installed locally. +* [PostgreSQL](https://www.postgresql.org/download/) installed locally. +## 1 - Sample application +Sample Python applications using the Flask and Django framework are provided to help you follow along with this tutorial. Download or clone one of the sample applications to your local workstation. -This tutorial shows how to deploy a data-driven Python [Django](https://www.djangoproject.com/) web app to [Azure App Service](overview.md) and connect it to an [Azure Database for PostgreSQL Flexible Server](../postgresql/flexible-server/index.yml) database. If you can't use PostgreSQL Flexible Server, then select the Single Server option above. +### [Flask](#tab/flask) -In this tutorial, you use the Azure CLI to complete the following tasks: - -> [!div class="checklist"] -> * Set up your initial environment with Python and the Azure CLI. -> * Create an Azure Database for PostgreSQL Flexible Server database. -> * Deploy code to Azure App Service and connect to PostgreSQL Flexible Server. -> * Update your code and redeploy. -> * View diagnostic logs. -> * Manage the web app in the Azure portal. - -You can also use the [Azure portal version of this tutorial](/azure/developer/python/tutorial-python-postgresql-app-portal?pivots=postgres-flexible-server). +```bash +git clone https://github.com/Azure-Samples/msdocs-flask-postgresql-sample-app +``` +### [Django](#tab/django) -## 1. Set up your initial environment +```bash +git clone https://github.com/Azure-Samples/msdocs-django-postgresql-sample-app.git +``` -1. Have an Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). -1. Install <a href="https://www.python.org/downloads/" target="_blank">Python 3.6 or higher</a>. -1. Install the <a href="/cli/azure/install-azure-cli" target="_blank">Azure CLI</a> 2.18.0 or higher, with which you run commands in any shell, to set up and configure Azure resources. + -Open a terminal window and check that your Python version is 3.6 or higher: +To run the application locally, navigate into the application folder: -# [Bash](#tab/bash) +### [Flask](#tab/flask) ```bash -python3 --version -``` - -# [PowerShell](#tab/powershell) - -```cmd -py -3 --version +cd msdocs-flask-postgresql-sample-app ``` -# [Cmd](#tab/cmd) +### [Django](#tab/django) -```cmd -py -3 --version +```bash +cd msdocs-django-postgresql-sample-app ``` -Check that your Azure CLI version is 2.18.0 or higher: +Create a virtual environment for the app: -```azurecli -az --version -``` -If you need to upgrade, try the `az upgrade` command (requires version 2.11+) or see <a href="/cli/azure/install-azure-cli" target="_blank">Install the Azure CLI</a>. +Install the dependencies: -Then sign in to Azure using the CLI: - -```azurecli -az login +```Console +pip install -r requirements.txt ``` -This command opens a browser to gather your credentials. When the command finishes, it shows JSON output containing information about your subscriptions. - -Once signed in, you can run Azure commands with the Azure CLI to work with resources in your subscription. +Set environment variables to specify how to connect to a local PostgreSQL instance. -Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp). +This sample application requires an .env file describing how to connect to your local PostgreSQL instance. Create an .env file using the .env.sample file as a guide. Set the value of `DBNAME` to the name of an existing database in your local PostgreSQL instance. This tutorial assumes the database name is restaurant. Set the values of `DBHOST`, `DBUSER`, and `DBPASS` as appropriate for your local PostgreSQL instance. -## 2. Clone or download the sample app +If you want to run SQLite locally instead, follow the instructions in the comments of the settings.py file. -# [Git clone](#tab/clone) +Create the `restaurant` and `review` database tables: -Clone the sample repository: +### [Flask](#tab/flask) -```terminal -git clone https://github.com/Azure-Samples/djangoapp +```Console +flask db init +flask db migrate -m "initial migration" ``` -Then go into that folder: +### [Django](#tab/django) -```terminal -cd djangoapp +```Console +python manage.py migrate ``` + -For Flexible Server, use the flexible-server branch of the sample that contains a few necessary changes such as: -- How the database server URL is set.-- Adding `'OPTIONS': {'sslmode': 'require'}` to the Django database configuration as required by Azure PostgreSQL Flexible Server. +Run the app: -```terminal -git checkout flexible-server +### [Flask](#tab/flask) + +```Console +flask run ``` +### [Django](#tab/django) -# [Download](#tab/download) +```Console +python manage.py runserver +``` -Go to [https://github.com/Azure-Samples/djangoapp](https://github.com/Azure-Samples/djangoapp). + -For Flexible Server, select the branches control that says "master" and select the flexible-server branch instead. +### [Flask](#tab/flask) -Select Clone, and then select Download ZIP. +In a web browser, go to the sample application at `http://localhost:5000` and add some restaurants and restaurant reviews to see how the app works. -Unpack the ZIP file into a folder named djangoapp. -Then open a terminal window in that djangoapp folder. - +### [Django](#tab/django) -The djangoapp sample contains the data-driven Django polls app you get by following [Writing your first Django app](https://docs.djangoproject.com/en/3.1/intro/tutorial01/) in the Django documentation. The completed app is provided here for your convenience. +In a web browser, go to the sample application at `http://localhost:8000` and add some restaurants and restaurant reviews to see how the app works. -The sample is also modified to run in a production environment like App Service: -- Production settings are in the azuresite/production.py file. Development settings are in azuresite/settings.py.-- The app uses production settings when the `WEBSITE_HOSTNAME` environment variable is set. Azure App Service automatically sets this variable to the URL of the web app, such as `msdocs-django.azurewebsites.net`.+ -The production settings are specific to configuring Django to run in any production environment and aren't particular to App Service. For more information, see the [Django deployment checklist](https://docs.djangoproject.com/en/3.1/howto/deployment/checklist/). Also see [Production settings for Django on Azure](configure-language-python.md#production-settings-for-django-apps) for details on some of the changes. +> [!TIP] +> With Django, you can create users with the `python manage.py createsuperuser` command like you would with a typical Django app. For more information, see the documentation for [django django-admin and manage.py](https://docs.djangoproject.com/en/1.8/ref/django-admin/). Use the superuser account to access the `/admin` portion of the web site. For Flask, use an extension such as [Flask-admin](https://github.com/flask-admin/flask-admin) to provide the same functionality. Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp). -## 3. Create Postgres database in Azure - -<!-- > [!NOTE] -> Before you create an Azure Database for PostgreSQL server, check which [compute generation](../postgresql/concepts-pricing-tiers.md#compute-generations-and-vcores) is available in your region. --> - -Install the `db-up` extension for the Azure CLI: - -```azurecli -az extension add --name db-up -``` +## 2 - Create a web app in Azure -If the `az` command isn't recognized, be sure you have the Azure CLI installed as described in [Set up your initial environment](#1-set-up-your-initial-environment). +To host your application in Azure, you need to create Azure App Service web app. +### [Azure portal](#tab/azure-portal) -Then create the Postgres database in Azure with the [`az postgres up`](/cli/azure/postgres#az_postgres_up) command: +Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps to create your Azure Database for PostgreSQL resource. -```azurecli -az postgres up --resource-group DjangoPostgres-tutorial-rg --location centralus --sku-name B_Gen5_1 --server-name <postgres-server-name> --database-name pollsdb --admin-user <admin-username> --admin-password <admin-password> --ssl-enforcement Enabled -``` +\| Instructions \| Screenshot \| +\|:-\|--:\| +\| [!INCLUDE [A screenshot showing how to use the search box in the top tool bar to find App Services in Azure](<./includes/tutorial-python-postgresql-app/create-app-service-azure-portal-1.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-azure-portal-1-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-azure-portal-1.png" alt-text="A screenshot showing how to use the search box in the top tool bar to find App Services in Azure portal." ::: \| +\| [!INCLUDE [A screenshot showing the location of the Create button on the App Services page in the Azure portal](<./includes/tutorial-python-postgresql-app/create-app-service-azure-portal-2.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-azure-portal-2-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-azure-portal-2.png" alt-text="A screenshot showing the location of the Create button on the App Services page in the Azure portal." ::: \| +\| [!INCLUDE [A screenshot showing how to fill out the form to create a new App Service in the Azure portal](<./includes/tutorial-python-postgresql-app/create-app-service-azure-portal-3.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-azure-portal-3-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-azure-portal-3.png" alt-text="A screenshot showing how to fill out the form to create a new App Service in the Azure portal." ::: \| +\| [!INCLUDE [A screenshot showing how to select the basic App Service plan in the Azure portal](<./includes/tutorial-python-postgresql-app/create-app-service-azure-portal-4.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-azure-portal-4-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-azure-portal-4.png" alt-text="A screenshot showing how to select the basic App Service plan in the Azure portal." ::: \| +\| [!INCLUDE [A screenshot showing the location of the Review plus Create button in the Azure portal](<./includes/tutorial-python-postgresql-app/create-app-service-azure-portal-5.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-azure-portal-5-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-azure-portal-5.png" alt-text="A screenshot showing the location of the Review plus Create button in the Azure portal." ::: \| -- Replace \<postgres-server-name> with a name that's unique across all Azure (the server endpoint becomes `https://<postgres-server-name>.postgres.database.azure.com`). A good pattern is to use a combination of your company name and another unique value.-- For \<admin-username> and \<admin-password>, specify credentials to create an admin user for this Postgres server. -- The admin username can't be azure_superuser, azure_pg_admin, admin, administrator, root, guest, or public. It can't start with pg_. -- The password must contain 8 to 128 characters from either: - - English uppercase letters. - - English lowercase letters. - - Numbers (0 through 9). - - Non-alphanumeric characters (for example, !, #, %). -- The password can't contain username.-- Don't use the `$` character in the username or password. Later you create environment variables with these values where the `$` character has special meaning within the Linux container used to run Python apps.-- The B_Gen5_1 (Basic, Gen5, 1 core) [pricing tier](../postgresql/concepts-pricing-tiers.md) used here is the least expensive. For production databases, omit the `--sku-name` argument to use the GP_Gen5_2 (General Purpose, Gen 5, 2 cores) tier instead.- -This command does the following actions, which may take a few minutes: --- Create a [resource group](../azure-resource-manager/management/overview.md#terminology) called `DjangoPostgres-tutorial-rg`, if it doesn't already exist.-- Create a Postgres server named by the `--server-name` argument.-- Create an admin account using the `--admin-user` and `--admin-password` arguments. You can omit these arguments to allow the command to generate unique credentials for you.-- Create a `pollsdb` database as named by the `--database-name` argument.-- Allow access from your local IP address.-- Allow access from Azure services.-- Create a database user with access to the `pollsdb` database.- -You can do all the steps separately with other `az postgres` and `psql` commands, but `az postgres up` does all the steps together. - -When the command completes, it outputs a JSON object that contains different connection strings for the database along with the server URL, a generated user name (such as "joyfulKoala@msdocs-djangodb-12345"), and a GUID password. Copy the user name and password to a temporary text file as you need them later in this tutorial. - -<!-- not all locations support az postgres up --> -> [!TIP] -> `-l <location-name>`, can be set to any one of the [Azure regions](https://azure.microsoft.com/global-infrastructure/regions/). You can get the regions available to your subscription with the [`az account list-locations`](/cli/azure/account#az_account_list_locations) command. For production apps, put your database and your app in the same location. +### [VS Code](#tab/vscode-aztools) +To create Azure resources in VS Code, you must have the [Azure Tools extension pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack) installed and be signed into Azure from VS Code. +> [!div class="nextstepaction"] +> [Download Azure Tools extension pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack) -1. Allow parameters caching with the Azure CLI so you don't need to provide those parameters with every command. (Cached values are saved in the .azure folder.) +\| Instructions \| Screenshot \| +\|:-\|--:\| +\| [!INCLUDE [A screenshot showing how to use the search box in the top tool bar to find App Services in Azure](<./includes/tutorial-python-postgresql-app/create-app-service-visual-studio-code-1.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-1-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-1.png" alt-text="A screenshot showing how to find the VS Code Azure extension in VS Code." ::: \| +\| [!INCLUDE [A screenshot showing how to use the search box in the top tool bar to find App Services in Azure](<./includes/tutorial-python-postgresql-app/create-app-service-visual-studio-code-2.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-2-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-2.png" alt-text="A screenshot showing how to create a new web app in VS Code." ::: \| +\| [!INCLUDE [A screenshot showing how to use the search box in the top tool bar to find App Services in Azure](<./includes/tutorial-python-postgresql-app/create-app-service-visual-studio-code-3.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-3-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-3.png" alt-text="A screenshot showing how to use the search box in the top tool bar of VS Code to name a new web app." ::: \| +\| [!INCLUDE [A screenshot showing how to use the search box in the top tool bar to find App Services in Azure](<./includes/tutorial-python-postgresql-app/create-app-service-visual-studio-code-4.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-4a-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-4a.png" alt-text="A screenshot showing how to use the search box in the top tool bar of VS Code to create a new resource group." ::: :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-4b-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-4b.png" alt-text="A screenshot showing how to use the search box in the top tool bar of VS Code to name a new resource group." ::: \| +\| [!INCLUDE [A screenshot showing how to use the search box in the top tool bar to find App Services in Azure](<./includes/tutorial-python-postgresql-app/create-app-service-visual-studio-code-5.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-5-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-5.png" alt-text="A screenshot showing how to use the search box in the top tool bar of VS Code to set the runtime stack of a web app in Azure." ::: \| +\| [!INCLUDE [A screenshot showing how to use the search box in the top tool bar to find App Services in Azure](<./includes/tutorial-python-postgresql-app/create-app-service-visual-studio-code-6.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-6-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-6.png" alt-text="A screenshot showing how to use the search box in the top tool bar of VS Code to set location for new web app resource in Azure." ::: \| +\| [!INCLUDE [A screenshot showing how to use the search box in the top tool bar to find App Services in Azure](<./includes/tutorial-python-postgresql-app/create-app-service-visual-studio-code-7.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-7a-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-7a.png" alt-text="A screenshot showing how to use the search box in the top tool bar of VS Code to create a new App Service plan in Azure." ::: :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-7b-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-7b.png" alt-text="A screenshot showing how to use the search box in the top tool bar in VS Code to name a new App Service plan in Azure." ::: \| +\| [!INCLUDE [A screenshot showing how to use the search box in the top tool bar to find App Services in Azure](<./includes/tutorial-python-postgresql-app/create-app-service-visual-studio-code-8.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-8-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-8.png" alt-text="A screenshot showing how to use the search box in the top tool bar in VS Code to select a pricing tier for a web app in Azure." ::: \| +\| [!INCLUDE [A screenshot showing how to use the search box in the top tool bar to find App Services in Azure](<./includes/tutorial-python-postgresql-app/create-app-service-visual-studio-code-9.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-9-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-9.png" alt-text="A screenshot showing how to use the search box in the top tool bar of VS Code to skip configuring Application Insights for a web app in Azure." ::: \| +\| [!INCLUDE [A screenshot showing how to use the search box in the top tool bar to find App Services in Azure](<./includes/tutorial-python-postgresql-app/create-app-service-visual-studio-code-10.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-10a-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-10a.png" alt-text="A screenshot showing deployment with Visual Studio Code and View Output Button." ::: :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-10b-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-10b.png" alt-text="A screenshot showing deployment with Visual Studio Code and how to view App Service in Azure portal." ::: :::image type="content" source="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-10c-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-app-service-visual-studio-code-10c.png" alt-text="A screenshot showing the default App Service web page when no app has been deployed." ::: \| - ```azurecli - az config param-persist on - ``` +### [Azure CLI](#tab/azure-cli) -1. Create a [resource group](../azure-resource-manager/management/overview.md#terminology) (you can change the name, if desired). The resource group name is cached and automatically applied to subsequent commands. +Azure CLI commands can be run in the [Azure Cloud Shell](https://shell.azure.com) or on a workstation with the [Azure CLI installed](/cli/azure/install-azure-cli). - ```azurecli - az group create --name Python-Django-PGFlex-rg --location centralus - ``` -1. Create the database server (the process takes a few minutes): +- - ```azurecli - az postgres flexible-server create --sku-name Standard_B1ms --public-access all - ``` - - If the `az` command isn't recognized, be sure you have the Azure CLI installed as described in [Set up your initial environment](#1-set-up-your-initial-environment). - - The [az postgres flexible-server create](/cli/azure/postgres/flexible-server#az_postgres_flexible_server_create) command does the following actions, which take a few minutes: - - - Create a default resource group if there's not a cached name already. - - Create a PostgreSQL Flexible Server: - - By default, the command uses a generated name like `server383813186`. You can specify your own name with the `--name` parameter. The name must be unique across all of Azure. - - The command uses the lowest-cost `Standard_B1ms` pricing tier. Omit the `--sku-name` argument to use the default `Standard_D2s_v3` tier. - - The command uses the resource group and location cached from the previous `az group create` command, which in this example is the resource group `Python-Django-PGFlex-rg` in the `centralus` region. - - Create an admin account with a username and password. You can specify these values directly with the `--admin-user` and `--admin-password` parameters. - - Create a database named `flexibleserverdb` by default. You can specify a database name with the `--database-name` parameter. - - Allows complete public access, which you can control using the `--public-access` parameter. - -1. When the command completes, copy the command's JSON output to a file because you need values from the output later in this tutorial, specifically the host, username, and password, along with the database name. +Having issues? Refer first to the [Troubleshooting guide](configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp). +## 3 - Create the PostgreSQL database in Azure -Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp). +You can create a PostgreSQL database in Azure using the [Azure portal](https://portal.azure.com/), Visual Studio Code, or the Azure CLI. -## 4. Deploy the code to Azure App Service +### [Azure portal](#tab/azure-portal) -In this section, you create app host in App Service app, connect this app to the Postgres database, then deploy your code to that host. +Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps to create your Azure App Service resources. -### 4.1 Create the App Service app +\| Instructions \| Screenshot \| +\|:-\|--:\| +\| [!INCLUDE [A screenshot showing how to use the search box in the top tool bar to find Postgres Services in Azure](<./includes/tutorial-python-postgresql-app/create-postgres-service-azure-portal-1.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-1-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-1.png" alt-text="A screenshot showing how to use the search box in the top tool bar to find Postgres Services in the Azure portal." ::: \| +\| [!INCLUDE [A screenshot showing the location of the Create button on the Azure Database for PostgreSQL servers page in the Azure portal](<./includes/tutorial-python-postgresql-app/create-postgres-service-azure-portal-2.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-2-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-2.png" alt-text="A screenshot showing the location of the Create button on the Azure Database for PostgreSQL servers page in the Azure portal." ::: \| +\| [!INCLUDE [A screenshot showing the location of the Create button on the Azure Database for PostgreSQL Flexible server deployment option page in the Azure portal](<./includes/tutorial-python-postgresql-app/create-postgres-service-azure-portal-3.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-3-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-3.png" alt-text="A screenshot showing the location of the Create Flexible Server button on the Azure Database for PostgreSQL deployment option page in the Azure portal." ::: \| +\| [!INCLUDE [A screenshot showing how to fill out the form to create a new Azure Database for PostgreSQL Flexible server in the Azure portal](<./includes/tutorial-python-postgresql-app/create-postgres-service-azure-portal-4.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-4-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-4.png" alt-text="A screenshot showing how to fill out the form to create a new Azure Database for PostgreSQL in the Azure portal." ::: \| +\| [!INCLUDE [A screenshot showing how to select and configure the compute and storage for PostgreSQL Flexible server in the Azure portal](<./includes/tutorial-python-postgresql-app/create-postgres-service-azure-portal-5.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-5-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-5.png" alt-text="A screenshot showing how to select and configure the basic database service plan in the Azure portal." ::: \| +\| [!INCLUDE [A screenshot showing creating administrator account information for the PostgreSQL Flexible server in in the Azure portal](<./includes/tutorial-python-postgresql-app/create-postgres-service-azure-portal-6.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-6-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-6.png" alt-text="Creating administrator account information for the PostgreSQL Flexible server in in the Azure portal." ::: \| +\| [!INCLUDE [A screenshot showing adding current IP as a firewall rule for the PostgreSQL Flexible server in the Azure portal](<./includes/tutorial-python-postgresql-app/create-postgres-service-azure-portal-7.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-7-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-azure-portal-7.png" alt-text="A screenshot showing adding current IP as a firewall rule for the PostgreSQL Flexible server in the Azure portal." ::: \| -In the terminal, ensure you're in the djangoapp repository folder that contains the app code. +### [VS Code](#tab/vscode-aztools) -Create an App Service app (the host process) with the [`az webapp up`](/cli/azure/webapp#az_webapp_up) command: +Follow these steps to create your Azure Database for PostgreSQL resource using the [Azure Tools extension pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack) in Visual Studio Code. -```azurecli -az webapp up --resource-group DjangoPostgres-tutorial-rg --location centralus --plan DjangoPostgres-tutorial-plan --sku B1 --name <app-name> -``` -<!-- without --sku creates PremiumV2 plan --> +\| Instructions \| Screenshot \| +\|:-\|--:\| +\| [!INCLUDE [Open Azure Extension - Database in VS Code](<./includes/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-1.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-1-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-1.png" alt-text="A screenshot showing how to open Azure Extension for Database in VS Code." ::: \| +\| [!INCLUDE [Create database server in VS Code](<./includes/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-2.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-2-240px.png" alt-text="A screenshot showing how create a database server in VSCode." lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-2.png"::: \| +\| [!INCLUDE [Azure portal - create new resource](<./includes/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-3.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-3-240px.png" alt-text="A screenshot how to create a new resource in VS Code." lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-3.png"::: \| +\| [!INCLUDE [Azure portal - create new resource](<./includes/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-4.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-4a-240px.png" alt-text="A screenshot showing how to create a new resource in the VS Code - server name." lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-4a.png"::: :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-4b-240px.png" alt-text="A screenshot showing how to create a new resource in VS Code - SKU." lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-4b.png"::: :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-4c-240px.png" alt-text="A screenshot showing how to create a new resource in VS Code - admin account name." lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-4c.png"::: :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-4d-240px.png" alt-text="A screenshot showing how to create a new resource in VS Code - admin account password." lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-4d.png"::: :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-4e-240px.png" alt-text="A screenshot showing how to create a new resource in VS Code - resource group." lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-4e.png"::: :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-4f-240px.png" alt-text="A screenshot showing how to create a new resource in VS Code - location." lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-4f.png":::\| +\| [!INCLUDE [Configure access for the database in the Azure portal](<./includes/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-5.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-5a-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-5a.png" alt-text="A screenshot showing how to configure access for a database by configuring a firewall rule in VS Code." ::: :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-5b-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-5b.png" alt-text="A screenshot showing how to select the correct PostgreSQL server to add a firewall rule in VS Code." ::: :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-5c-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-5c.png" alt-text="A screenshot showing a dialog box asking to add firewall rule for local IP address in VS Code." :::\| +\| [!INCLUDE [Create a new Azure resource in the Azure portal](<./includes/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-6.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-6-240px.png" lightbox="./media/tutorial-python-postgresql-app/create-postgres-service-visual-studio-code-6.png" alt-text="A screenshot showing how to create a PostgreSQL database server in VS Code." ::: \| -- For the `--location` argument, use the same location as you did for the database in the previous section.-- Replace \<app-name> with a unique name across all Azure (the server endpoint is `https://<app-name>.azurewebsites.net`). Allowed characters for \<app-name> are `A`-`Z`, `0`-`9`, and `-`. A good pattern is to use a combination of your company name and an app identifier. +### [Azure CLI](#tab/azure-cli) -This command does the following actions, which may take a few minutes: +Run `az login` to sign in to and follow these steps to create your Azure Database for PostgreSQL resource. -<!- -<!-- No it doesn't. az webapp up doesn't respect --resource-group --> -- Create the [resource group](../azure-resource-manager/management/overview.md#terminology) if it doesn't already exist. (In this command you use the same resource group in which you created the database earlier.)-- Create the [App Service plan](overview-hosting-plans.md) DjangoPostgres-tutorial-plan in the Basic pricing tier (B1), if it doesn't exist. `--plan` and `--sku` are optional.-- Create the App Service app if it doesn't exist.-- Allow default logging for the app, if not already enabled.-- Upload the repository using ZIP deployment with build automation enabled.-- Cache common parameters, such as the name of the resource group and App Service plan, into the file .azure/config. As a result, you don't need to specify again all the same parameters with later commands. For example, to redeploy the app after making changes, you can just run `az webapp up` again without any parameters. Commands that come from CLI extensions, such as `az postgres up` don't use the cache now, which is why you must specify the resource group and location here with the initial use of `az webapp up`. +- - -1. In the terminal, ensure you're in the djangoapp repository folder that contains the app code. +Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp). -1. Switch to the sample app's `flexible-server` branch. This branch contains specific configuration needed for PostgreSQL Flexible Server: +## 4 - Allow web app to access the database - ```cmd - git checkout flexible-server - ``` +After the Azure Database for PostgreSQL server is created, configure access to the server from the web app by adding a firewall rule. This can be done through the Azure portal or the Azure CLI. -1. Run the following [`az webapp up`](/cli/azure/webapp#az_webapp_up) command to create the App Service host for the app: +If you are working in VS Code, right-click the database server and select Open in Portal to go to the Azure portal. Or, go to the [Azure Cloud Shell](https://shell.zure.com) and run the Azure CLI commands. +### [Azure portal](#tab/azure-portal-access) - ```azurecli - az webapp up --name <app-name> --sku B1 - ``` - <!-- without --sku creates PremiumV2 plan --> - - This command does the following actions, which may take a few minutes, using resource group and location cached from the previous `az group create` command (the group `Python-Django-PGFlex-rg` in the `centralus` region in this example). - - <!- - <!-- No it doesn't. az webapp up doesn't respect --resource-group --> - - Create an [App Service plan](overview-hosting-plans.md) in the Basic pricing tier (B1). You can omit `--sku` to use default values. - - Create the App Service app. - - Allow default logging for the app. - - Upload the repository using ZIP deployment with build automation enabled. +\| Instructions \| Screenshot \| +\|:-\|--:\| +\| [!INCLUDE [A screenshot showing the location and adding a firewall rule in the Azure portal](<./includes/tutorial-python-postgresql-app/add-access-to-postgres-from-web-app-portal-1.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/add-access-to-postgres-from-web-app-portal-1-240px.png" lightbox="./media/tutorial-python-postgresql-app/add-access-to-postgres-from-web-app-portal-1.png" alt-text="A screenshot showing how to add access from other Azure services to a PostgreSQL database in the Azure portal." ::: \| +### [Azure CLI](#tab/azure-cli-access) -When deployed successfully, the command generates JSON output like the following example: -![Example az webapp up command output](./media/tutorial-python-postgresql-app/az-webapp-up-output.png) +- Having issues? Refer first to the [Troubleshooting guide](configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp). -### 4.2 Configure environment variables to connect the database - -With the code now deployed to App Service, the next step is to connect the app to the Postgres database in Azure. +## 5 - Connect the web app to the database -The app code expects to find database information in four environment variables such as `DBHOST`, `DBNAME`, `DBUSER`, and `DBPASS`. +With the web app and PostgreSQL database created, the next step is to connect the web app to the PostgreSQL database in Azure. -To set environment variables in App Service, create "app settings" with the following [az webapp config appsettings set](/cli/azure/webapp/config/appsettings#az_webapp_config_appsettings_set) command. +The web app code uses database information in four environment variables named `DBHOST`, `DBNAME`, `DBUSER`, and `DBPASS` to connect to the PostgresSQL server. +### [Azure portal](#tab/azure-portal) -```azurecli -az webapp config appsettings set --settings DBHOST="<postgres-server-name>" DBUSER="<username>" DBPASS="<password>" DBNAME="pollsdb" -``` --- Replace \<postgres-server-name> with the name you used earlier with the `az postgres up` command. The code in azuresite/production.py automatically appends `.postgres.database.azure.com` to create the full Postgres server URL.-- Replace \<username> and \<password> with the admin credentials that you used with the earlier `az postgres up` command, or those that `az postgres up` generated for you. The code in azuresite/production.py automatically constructs the full Postgres username from `DBUSER` and `DBHOST`, so don't include the `@server` portion. (Also, as noted earlier, you shouldn't use the `$` character in either value because it has a special meaning for Linux environment variables.)-- The resource group and app names are drawn from the cached values in the .azure/config file. +\| Instructions \| Screenshot \| +\|:-\|--:\| +\| [!INCLUDE [Azure portal connect app to postgres step 1](<./includes/tutorial-python-postgresql-app/connect-postgres-to-app-azure-portal-1.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/connect-postgres-to-app-azure-portal-1-240px.png" lightbox="./media/tutorial-python-postgresql-app/connect-postgres-to-app-azure-portal-1.png" alt-text="A screenshot showing how to navigate to App Settings in the Azure portal." ::: \| +\| [!INCLUDE [Azure portal connect app to postgres step 2](<./includes/tutorial-python-postgresql-app/connect-postgres-to-app-azure-portal-2.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/connect-postgres-to-app-azure-portal-2-240px.png" lightbox="./media/tutorial-python-postgresql-app/connect-postgres-to-app-azure-portal-2.png" alt-text="A screenshot showing how to configure the App Settings in the Azure portal." ::: \| +### [VS Code](#tab/vscode-aztools) +To configure environment variables for the web app from VS Code, you must have the [Azure Tools extension pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack) installed and be signed into Azure from VS Code. -```azurecli -az webapp config appsettings set --settings DBHOST="<host>" DBUSER="<username>" DBPASS="<password>" DBNAME="flexibleserverdb" -``` +\| Instructions \| Screenshot \| +\|:-\|--:\| +\| [!INCLUDE [VS Code connect app to postgres step 1](<./includes/tutorial-python-postgresql-app/connect-postgres-to-app-visual-studio-code-1.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/connect-app-to-database-azure-extension-240px.png" lightbox="./media/tutorial-python-postgresql-app/connect-app-to-database-azure-extension.png" alt-text="A screenshot showing how to locate the Azure Tools extension in VS Code." ::: \| +\| [!INCLUDE [VS Code connect app to postgres step 2](<./includes/tutorial-python-postgresql-app/connect-postgres-to-app-visual-studio-code-2.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/connect-app-to-database-create-setting-240px.png" lightbox="./media/tutorial-python-postgresql-app/connect-app-to-database-create-setting.png" alt-text="A screenshot showing how to add a setting to the App Service in VS Code." ::: \| +\| [!INCLUDE [VS Code connect app to postgres step 3](<./includes/tutorial-python-postgresql-app/connect-postgres-to-app-visual-studio-code-3.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/connect-app-to-database-settings-example-a-240px.png" lightbox="./media/tutorial-python-postgresql-app/connect-app-to-database-settings-example-a.png" alt-text="A screenshot showing adding setting name for app service to connect to Postgresql database in VS Code." ::: :::image type="content" source="./media/tutorial-python-postgresql-app/connect-app-to-database-settings-example-b-240px.png" lightbox="./media/tutorial-python-postgresql-app/connect-app-to-database-settings-example-b.png" alt-text="A screenshot showing adding setting value for app service to connect to Postgresql database in VS Code." ::: \| -Replace the host, username, and password values with those from the output of the `az postgres flexible-server create` command used earlier. The host should be a URL like `server383813186.postgres.database.azure.com`. +### [Azure CLI](#tab/azure-cli) -Also replace `flexibleserverdb` with the database name if you changed it with the `az postgres flexible-server create` command. - -In your Python code, you use these settings as environment variables with statements like `os.environ.get('DBHOST')`. For more information, see [Access environment variables](configure-language-python.md#access-environment-variables). +- Having issues? Refer first to the [Troubleshooting guide](configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp). > [!NOTE] > If you want to try an alternative approach to connect your app to the Postgres database in Azure, see the [Service Connector version](../service-connector/tutorial-django-webapp-postgres-cli.md) of this tutorial. Service Connector is a new Azure service that is currently in public preview. [Section 4.2](../service-connector/tutorial-django-webapp-postgres-cli.md#42-configure-environment-variables-to-connect-the-database) of that tutorial introduces a simplified process for creating the connection. -### 4.3 Run Django database migrations - -Django database migrations ensure that the schema in the PostgreSQL on Azure database matches with those described in your code. +## 6 - Deploy your application code to Azure -1. Run `az webpp ssh` to open an SSH session for the web app in the browser: +Azure App service supports multiple methods to deploy your application code to Azure including support for GitHub Actions and all major CI/CD tools. This article focuses on how to deploy your code from your local workstation to Azure. - ```azurecli - az webapp ssh - ``` +### [Deploy using VS Code](#tab/vscode-aztools-deploy) - If you can't connect to the SSH session, then the app itself has failed to start. [Check the diagnostic logs](#6-stream-diagnostic-logs) for details. For example, if you haven't created the necessary app settings in the previous section, the logs indicate `KeyError: 'DBNAME'`. +To deploy a web app from VS Code, you must have the [Azure Tools extension pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack) installed and be signed into Azure from VS Code. -1. In the SSH session, run the following commands (you can paste commands using Ctrl+Shift+V): +\| Instructions \| Screenshot \| +\|:-\|--:\| +\| [!INCLUDE [VS Code deploy step 1](<./includes/tutorial-python-postgresql-app/deploy-visual-studio-code-1.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/connect-app-to-database-azure-extension-240px.png" lightbox="./media/tutorial-python-postgresql-app/connect-app-to-database-azure-extension.png" alt-text="A screenshot showing how to locate the Azure Tools extension in VS Code." ::: \| +\| [!INCLUDE [VS Code deploy step 2](<./includes/tutorial-python-postgresql-app/deploy-visual-studio-code-2.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-1-240px.png" lightbox="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-1.png" alt-text="A screenshot showing how to deploy a web app in VS Code." ::: \| +\| [!INCLUDE [VS Code deploy step 3](<./includes/tutorial-python-postgresql-app/deploy-visual-studio-code-3.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-2-240px.png" lightbox="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-2.png" alt-text="A screenshot showing how to deploy a web app in VS Code: selecting the code to deploy." ::: :::image type="content" source="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-3-240px.png" lightbox="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-3.png" alt-text="A screenshot showing how to deploy a web app in VS Code: a dialog box to confirm deploy." ::: \| +\| [!INCLUDE [VS Code deploy step 4](<./includes/tutorial-python-postgresql-app/deploy-visual-studio-code-4.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-4-240px.png" lightbox="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-4.png" alt-text="A screenshot showing how to deploy a web app in VS Code: a dialog box to choose to always deploy to the app service." ::: \| +\| [!INCLUDE [VS Code deploy step 5](<./includes/tutorial-python-postgresql-app/deploy-visual-studio-code-5.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-5-240px.png" lightbox="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-5.png" alt-text="A screenshot showing how to deploy a web app in VS Code: a dialog box with choice to browse to website." ::: :::image type="content" source="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-6-240px.png" lightbox="./media/tutorial-python-postgresql-app/deploy-web-app-visual-studio-code-6.png" alt-text="A screenshot showing how to deploy a web app in VS Code: a dialog box with choice to view deployment details." ::: \| - ```bash - # Run database migrations - python manage.py migrate +### [Deploy using Local Git](#tab/local-git-deploy) - # Create the super user (follow prompts) - python manage.py createsuperuser - ``` - If you encounter any errors related to connecting to the database, check the values of the application settings created in the previous section. +### [Deploy using a ZIP file](#tab/zip-deploy) -1. The `createsuperuser` command prompts you for superuser credentials. For the purposes of this tutorial, use the default username `root`, press Enter for the email address to leave it blank, and type `Pollsdb1` for the password. -1. If you see an error that the database is locked, ensure that you ran the `az webapp settings` command in the previous section. Without those settings, the migrate command can't communicate with the database, resulting in the error. +- Having issues? Refer first to the [Troubleshooting guide](configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp). - -### 4.4 Create a poll question in the app -1. Open the app website. The app should display the message "Polls app" and "No polls are available" because there are no specific polls yet in the database. +## 7 - Migrate app database - ```azurecli - az webapp browse - ``` +With the code deployed and the database in place, the app is almost ready to use. The only piece that remains is to establish the necessary schema in the database itself. You do this by "migrating" the data models in the Django app to the database. - If you see "Application Error", then it's likely that you either didn't create the required settings in the previous step, [Configure environment variables to connect the database](#42-configure-environment-variables-to-connect-the-database), or that those value contain errors. Run the command `az webapp config appsettings list` to check the settings. You can also [check the diagnostic logs](#6-stream-diagnostic-logs) to see specific errors during app startup. For example, if you didn't create the settings, the logs show the error, `KeyError: 'DBNAME'`. +Step 1. Create SSH session and connect to web app server. - After updating the settings to correct any errors, give the app a minute to restart, then refresh the browser. +### [Azure portal](#tab/azure-portal) -1. Browse to the web app's admin page by appending `/admin` to the URL, for example, `http://<app-name>.azurewebsites.net/admin`. Sign in using Django superuser credentials from the previous section (`root` and `Pollsdb1`). Under Polls, select Add next to Questions and create a poll question with some choices. +Navigate to page for the App Service instance in the Azure portal. -1. Return to the main website (`http://<app-name>.azurewebsites.net`) to confirm that the questions are now presented to the user. Answer questions however you like to generate some data in the database. +1. Select SSH, under Development Tools on the left side +2. Then Go to open an SSH console on the web app server. (It may take a minute to connect for the first time as the web app container needs to start.) -Congratulations! You're running a Python Django web app in Azure App Service for Linux, with an active Postgres database. +### [VS Code](#tab/vscode-aztools) -Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp). - -> [!NOTE] -> App Service detects a Django project by looking for a wsgi.py file in each subfolder, which `manage.py startproject` creates by default. When App Service finds that file, it loads the Django web app. For more information, see [Configure built-in Python image](configure-language-python.md). +In VS Code, you can use the [Azure Tools extension pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack), which must be installed and be signed into Azure from VS Code. -## 5. Make code changes and redeploy +In the App Service section of the Azure Tools extension: -In this section, you make local changes to the app and redeploy the code to App Service. In the process, you set up a Python virtual environment that supports ongoing work. +1. Locate your web app and right-click to bring up the context menu. +2. Select SSH into Web App to open an SSH terminal window. -### 5.1 Run the app locally +### [Azure CLI](#tab/azure-cli) -In a terminal window, run the following commands. Be sure to follow the prompts when creating the superuser: -# [bash](#tab/bash) + -```bash -# Configure the Python virtual environment -python3 -m venv venv -source venv/bin/activate +> [!NOTE] +> If you cannot connect to the SSH session, then the app itself has failed to start. Check the diagnostic logs for details. For example, if you haven't created the necessary app settings in the previous section, the logs will indicate `KeyError: 'DBNAME'`. -# Install dependencies -pip install -r requirements.txt -# Run Django migrations -python manage.py migrate -# Create Django superuser (follow prompts) -python manage.py createsuperuser -# Run the dev server -python manage.py runserver -``` +Step 2. In the SSH session, run the following command to migrate the models into the database schema (you can paste commands using Ctrl+Shift+V): -# [PowerShell](#tab/powershell) +### [Flask](#tab/flask) -```powershell -# Configure the Python virtual environment -py -3 -m venv venv -Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -Force -venv\scripts\activate +When deploying the Flask sample app to Azure App Service, the database tables are created automatically in Azure PostgreSQL. If the tables aren't created, try the following command: -# Install dependencies -pip install -r requirements.txt -# Run Django migrations -python manage.py migrate -# Create Django superuser (follow prompts) -python manage.py createsuperuser -# Run the dev server -python manage.py runserver +```bash +# Create database tables +flask db init ``` -# [CMD](#tab/cmd) - -```cmd -:: Configure the Python virtual environment -py -3 -m venv venv -venv\scripts\activate +### [Django](#tab/django) -:: Install dependencies -pip install -r requirements.txt -:: Run Django migrations +```bash +# Create database tables python manage.py migrate -:: Create Django superuser (follow prompts) -python manage.py createsuperuser -:: Run the dev server -python manage.py runserver ```-- -Once the web app is fully loaded, the Django development server provides the local app URL in the message, "Starting development server at http://127.0.0.1:8000/. Quit the server with CTRL-BREAK". - -![Example Django development server output](./media/tutorial-python-postgresql-app/django-dev-server-output.png) -Test the app locally with the following steps: - -1. Go to `http://localhost:8000` in a browser, which should display the message "No polls are available". - -1. Go to `http://localhost:8000/admin` and sign in using the admin user you created previously. Under Polls, again select Add next to Questions and create a poll question with some choices. - -1. Go to `http://localhost:8000` again and answer the question to test the app. + -1. Stop the Django server by pressing Ctrl+C. +If you encounter any errors related to connecting to the database, check the values of the application settings of the App Service created in the previous section, namely `DBHOST`, `DBNAME`, `DBUSER`, and `DBPASS`. Without those settings, the migrate command cannot communicate with the database. -When you run it locally, the app is using a local Sqlite3 database and doesn't interfere with your production database. If needed, to better simulate your production environment, you can also use a local PostgreSQL database. +> [!TIP] +> In an SSH session, for Django you can also create users with the `python manage.py createsuperuser` command like you would with a typical Django app. For more information, see the documentation for [django django-admin and manage.py](https://docs.djangoproject.com/en/1.8/ref/django-admin/). Use the superuser account to access the `/admin` portion of the web site. For Flask, use an extension such as [Flask-admin](https://github.com/flask-admin/flask-admin) to provide the same functionality. Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp). -### 5.2 Update the app +## 8 - Browse to the app -In `polls/models.py`, locate the line that begins with `choice_text` and change the `max_length` parameter to 100: +Browse to the deployed application in your web browser at the URL `http://<app-name>.azurewebsites.net`. It can take a minute or two for the app to start, so if you see a default app page, wait a minute and refresh the browser. -```python -# Find this line of code and set max_length to 100 instead of 200 -choice_text = models.CharField(max_length=100) -``` - -Because you changed the data model, create a new Django migration and migrate the database: +When you see your sample web app, it is running in a Linux container in App Service using a built-in image Congratulations! You've deployed your Python app to App Service. -``` -python manage.py makemigrations -python manage.py migrate -``` +### [Flask](#tab/flask) -Run the development server again with `python manage.py runserver` and test the app at to http:\//localhost:8000/admin: -Stop the Django web server again with Ctrl+C. +### [Django](#tab/django) -Having issues? Refer first to the [Troubleshooting guide](configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp). -### 5.3 Redeploy the code to Azure - -Run the following command in the repository root: - -```azurecli -az webapp up -``` + -This command uses the parameters cached in the .azure/config file. Because App Service detects that the app already exists, it just redeploys the code. +Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp). -Having issues? Refer first to the [Troubleshooting guide](configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp). +## 9 - Stream diagnostic logs -### 5.4 Rerun migrations in Azure +Azure App Service captures all messages output to the console to help you diagnose issues with your application. The sample app includes `print()` statements to demonstrate this capability as shown below. -Because you made changes to the data model, you need to rerun database migrations in App Service. +### [Flask](#tab/flask) -Open an SSH session again in the browser by navigating to `https://<app-name>.scm.azurewebsites.net/webssh/host`. Then run the following command: -``` -python manage.py migrate -``` +### [Django](#tab/django) -Having issues? Refer first to the [Troubleshooting guide](configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp). -### 5.5 Review app in production + -Browse to the app again (using `az webapp browse` or navigating to `http://<app-name>.azurewebsites.net`) and test the app again in production. (You changed only the length of a database field. So the change is only noticeable if you typed a longer response when you create a question.) +You can access the console logs generated from inside the container that hosts the app on Azure. -Having issues? Refer first to the [Troubleshooting guide](configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp). +### [Azure portal](#tab/azure-portal) -## 6. Stream diagnostic logs +\| Instructions \| Screenshot \| +\|:-\|--:\| +\| [!INCLUDE [Stream logs from Azure portal 1](<./includes/tutorial-python-postgresql-app/stream-logs-azure-portal-1.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/stream-logs-azure-portal-1-240px.png" lightbox="./media/tutorial-python-postgresql-app/stream-logs-azure-portal-1.png" alt-text="A screenshot showing how to set application logging in the Azure portal." ::: \| +\| [!INCLUDE [Stream logs from Azure portal 2](<./includes/tutorial-python-postgresql-app/stream-logs-azure-portal-2.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/stream-logs-azure-portal-2-240px.png" lightbox="./media/tutorial-python-postgresql-app/stream-logs-azure-portal-2.png" alt-text="A screenshot showing how to stream logs in the Azure portal." ::: \| -You can use the console logs generated from inside the container that hosts the app on Azure. +### [VS Code](#tab/vscode-aztools) -Run the following Azure CLI command to see the log stream. This command uses parameters cached in the .azure/config file. +\| Instructions \| Screenshot \| +\|:-\|--:\| +\| [!INCLUDE [Stream logs from VS Code 1](<./includes/tutorial-python-postgresql-app/stream-logs-visual-studio-code-1.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/stream-logs-visual-studio-code-1-240px.png" lightbox="./media/tutorial-python-postgresql-app/stream-logs-visual-studio-code-1.png" alt-text="A screenshot showing how to set application logging in VS Code." ::: \| +\| [!INCLUDE [Stream logs from VS Code 2](<./includes/tutorial-python-postgresql-app/stream-logs-visual-studio-code-2.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/stream-logs-visual-studio-code-2-240px.png" lightbox="./media/tutorial-python-postgresql-app/stream-logs-visual-studio-code-2.png" alt-text="A screenshot showing VS Code output window." ::: \| -```azurecli -az webapp log tail -``` +### [Azure CLI](#tab/azure-cli) -If you don't see console logs immediately, check again in 30 seconds. -To stop log streaming at any time, type Ctrl+C. +- Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp). -> [!NOTE] -> You can also inspect the log files from the browser at `https://<app-name>.scm.azurewebsites.net/api/logs/docker`. -> -> `az webapp up` turns on the default logging for you. For performance reasons, this logging turns itself off after some time, but turns back on each time you run `az webapp up` again. To turn it on manually, run the following command: -> -> ```azurecli -> az webapp log config --docker-container-logging filesystem -> ``` +## Clean up resources -## 7. Manage your app in the Azure portal +You can leave the app and database running as long as you want for further development work and skip ahead to [Next steps](#next-steps). -In the [Azure portal](https://portal.azure.com), search for the app name and select the app in the results. +However, when you are finished with the sample app, you can remove all of the resources for the app from Azure to ensure you do not incur other charges and keep your Azure subscription uncluttered. Removing the resource group also removes all resources in the resource group and is the fastest way to remove all Azure resources for your app. -![Navigate to your Python Django app in the Azure portal](./media/tutorial-python-postgresql-app/navigate-to-django-app-in-app-services-in-the-azure-portal.png) +### [Azure portal](#tab/azure-portal) -By default, the portal shows your app's Overview page, which provides a general performance view. Here, you can also perform basic management tasks like browse, stop, restart, and delete. The tabs on the left side of the page show the different configuration pages you can open. +Follow these steps while signed-in to the Azure portal to delete a resource group. -![Manage your Python Django app in the Overview page in the Azure portal](./media/tutorial-python-postgresql-app/manage-django-app-in-app-services-in-the-azure-portal.png) +\| Instructions \| Screenshot \| +\|:-\|--:\| +\| [!INCLUDE [Remove resource group Azure portal 1](<./includes/tutorial-python-postgresql-app/remove-resource-group-azure-portal-1.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/remove-resource-group-azure-portal-1-240px.png" lightbox="./media/tutorial-python-postgresql-app/remove-resource-group-azure-portal-1.png" alt-text="A screenshot showing how to find resource group in the Azure portal." ::: \| +\| [!INCLUDE [Remove resource group Azure portal 2](<./includes/tutorial-python-postgresql-app/remove-resource-group-azure-portal-2.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/remove-resource-group-azure-portal-2-240px.png" lightbox="./media/tutorial-python-postgresql-app/remove-resource-group-azure-portal-2.png" alt-text="A screenshot showing how to delete a resource group in the Azure portal." ::: \| +\| [!INCLUDE [Remove resource group Azure portal 3](<./includes/tutorial-python-postgresql-app/remove-resource-group-azure-portal-3.md>)] \| \| -Having issues? Refer first to the [Troubleshooting guide](configure-language-python.md#troubleshooting), otherwise, [let us know](https://aka.ms/DjangoCLITutorialHelp). -## 8. Clean up resources +### [VS Code](#tab/vscode-aztools) -If you'd like to keep the app or continue to the other tutorials, skip ahead to [Next steps](#next-steps). Otherwise, to avoid incurring ongoing charges you can delete the resource group created for this tutorial: +\| Instructions \| Screenshot \| +\|:-\|--:\| +\| [!INCLUDE [Remove resource group VS Code 1](<./includes/tutorial-python-postgresql-app/remove-resource-group-visual-studio-code-1.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/remove-resource-group-visual-studio-code-1-240px.png" lightbox="./media/tutorial-python-postgresql-app/remove-resource-group-visual-studio-code-1.png" alt-text="A screenshot showing how to delete a resource group in VS Code." ::: \| +\| [!INCLUDE [Remove resource group VS Code 2](<./includes/tutorial-python-postgresql-app/remove-resource-group-visual-studio-code-2.md>)] \| :::image type="content" source="./media/tutorial-python-postgresql-app/remove-resource-group-visual-studio-code-2-240px.png" lightbox="./media/tutorial-python-postgresql-app/remove-resource-group-visual-studio-code-2.png" alt-text="A screenshot showing how to finish deleting a resource in VS Code." ::: \| -```azurecli -az group delete --name Python-Django-PGFlex-rg --no-wait -``` +### [Azure CLI](#tab/azure-cli) -If you delete the resource group, you also deallocate and delete all the resources contained within it. Ensure you no longer need the resources in the group before using the command. -Deleting all the resources can take some time. The `--no-wait` argument allows the command to return immediately. +- Having issues? [Let us know](https://aka.ms/DjangoCLITutorialHelp).
attestation	Overview	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/overview.md	# Microsoft Azure Attestation -Microsoft Azure Attestation is a unified solution for remotely verifying the trustworthiness of a platform and integrity of the binaries running inside it. The service supports attestation of the platforms backed by Trusted Platform Modules (TPMs) alongside the ability to attest to the state of Trusted Execution Environments (TEEs) such as [Intel┬« Software Guard Extensions](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) (SGX) enclaves, [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) (VBS) enclaves, [Trusted Platform Modules (TPMs)](/windows/security/information-protection/tpm/trusted-platform-module-overview), [Trusted launch for Azure VMs](/azure/virtual-machines/trusted-launch#microsoft-defender-for-cloud-integration) and [Azure confidential VMs](/azure/confidential-computing/confidential-vm-overview). +Microsoft Azure Attestation is a unified solution for remotely verifying the trustworthiness of a platform and integrity of the binaries running inside it. The service supports attestation of the platforms backed by Trusted Platform Modules (TPMs) alongside the ability to attest to the state of Trusted Execution Environments (TEEs) such as [Intel┬« Software Guard Extensions](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) (SGX) enclaves, [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) (VBS) enclaves, [Trusted Platform Modules (TPMs)](/windows/security/information-protection/tpm/trusted-platform-module-overview), [Trusted launch for Azure VMs](/azure/virtual-machines/trusted-launch) and [Azure confidential VMs](/azure/confidential-computing/confidential-vm-overview). Attestation is a process for demonstrating that software binaries were properly instantiated on a trusted platform. Remote relying parties can then gain confidence that only such intended software is running on trusted hardware. Azure Attestation is a unified customer-facing service and framework for attestation. Azure Attestation receives evidence from compute entities, turns them into a set Azure Attestation provides comprehensive attestation services for multiple environments and distinctive use cases. -### SGX attestation +### SGX enclave attestation -SGX refers to hardware-grade isolation, which is supported on certain Intel CPUs models. SGX enables code to run in sanitized compartments known as SGX enclaves. Access and memory permissions are then managed by hardware to ensure a minimal attack surface with proper isolation. +[Intel┬« Software Guard Extensions](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) (SGX) refers to hardware-grade isolation, which is supported on certain Intel CPUs models. SGX enables code to run in sanitized compartments known as SGX enclaves. Access and memory permissions are then managed by hardware to ensure a minimal attack surface with proper isolation. Client applications can be designed to take advantage of SGX enclaves by delegating security-sensitive tasks to take place inside those enclaves. Such applications can then make use of Azure Attestation to routinely establish trust in the enclave and its ability to access sensitive data. Intel┬« Xeon┬« Scalable processors only support [ECDSA-based attestation solutio > [!NOTE] > To perform attestation of Intel┬« Xeon┬« Scalable processor-based server platforms using Azure Attestation, users are expected to install [Azure DCAP version 1.10.0](https://github.com/microsoft/Azure-DCAP-Client) or higher. -### Open Enclave +### Open Enclave attestation [Open Enclave](https://openenclave.io/sdk/) (OE) is a collection of libraries targeted at creating a single unified enclaving abstraction for developers to build TEE-based applications. It offers a universal secure app model that minimizes platform specificities. Microsoft views it as an essential stepping-stone toward democratizing hardware-based enclave technologies such as SGX and increasing their uptake on Azure. OE standardizes specific requirements for verification of an enclave evidence. This qualifies OE as a highly fitting attestation consumer of Azure Attestation. ### TPM attestation -Trusted Platform Module (TPM) based attestation is critical to provide proof of a platformsΓÇÖ state. TPM acts as the root of trust and the security coprocessor to provide cryptographic validity to the measurements(evidence). Devices with a TPM, can rely on attestation to prove that boot integrity is not compromised along with using the claims to detect feature states enablementΓÇÖs during boot. +[Trusted Platform Modules (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-overview) based attestation is critical to provide proof of a platformsΓÇÖ state. TPM acts as the root of trust and the security coprocessor to provide cryptographic validity to the measurements(evidence). Devices with a TPM, can rely on attestation to prove that boot integrity is not compromised along with using the claims to detect feature states enablementΓÇÖs during boot. Client applications can be designed to take advantage of TPM attestation by delegating security-sensitive tasks to only take place after a platform has been validated to be secure. Such applications can then make use of Azure Attestation to routinely establish trust in the platform and its ability to access sensitive data.
automation	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Automation description: Lists Azure Policy Regulatory Compliance controls available for Azure Automation. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
azure-app-configuration	Howto Integrate Azure Managed Service Identity	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/howto-integrate-azure-managed-service-identity.md	description: Authenticate to Azure App Configuration using managed identities -+ Last updated 04/08/2021 To set up a managed identity in the portal, you first create an application and ## Grant access to App Configuration +The following steps describe how to assign the App Configuration Data Reader role to App Service. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md). + 1. In the [Azure portal](https://portal.azure.com), select All resources and select the App Configuration store that you created in the quickstart. 1. Select Access control (IAM). -1. On the Check access tab, select Add in the Add role assignment card UI. +1. Select Add > Add role assignment. + + ![Access control (IAM) page with Add role assignment menu open.](../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png) -1. Under Role, select App Configuration Data Reader. Under Assign access to, select App Service under System assigned managed identity. +1. On the Role tab, select the App Configuration Data Reader role. -1. Under Subscription, select your Azure subscription. Select the App Service resource for your app. + ![Add role assignment page with Role tab selected.](../../includes/role-based-access-control/media/add-role-assignment-role-generic.png) -1. Select Save. +1. On the Members tab, select Managed identity, and then select Select members. - ![Add a managed identity](./media/add-managed-identity.png) +1. Select your Azure subscription, select System-assigned managed identity, and then select App Service. +1. On the Review + assign tab, select Review + assign to assign the role. ## Use a managed identity
azure-app-configuration	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure App Configuration description: Lists Azure Policy Regulatory Compliance controls available for Azure App Configuration. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
azure-arc	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Arc-enabled servers (preview) description: Lists Azure Policy Regulatory Compliance controls available for Azure Arc-enabled servers (preview). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
azure-cache-for-redis	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Cache for Redis description: Lists Azure Policy Regulatory Compliance controls available for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
azure-government	Documentation Government Plan Security	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-government/documentation-government-plan-security.md	recommendations: false Previously updated : 01/28/2022 Last updated : 03/12/2022 # Azure Government security We're now screening all our operators at a Tier 3 Investigation (formerly Nation \|Applicable screening and background check\|Environment\|Frequency\|Description\| \|\|\|\|\| -\|Background check </br> Cloud screen\|Azure </br>Azure Gov\|Upon employment\|- Education history (highest degree) </br>- Employment history (7-yr history)\| -\|\|\|Every two years\|- Social Security Number search </br>- Criminal history check (7-yr history) </br>- Office of Foreign Assets Control (OFAC) list </br>- Bureau of Industry and Security (BIS) list </br>- Office of Defense Trade Controls (DDTC) debarred list\| +\|New hire check\|Azure </br>Azure Gov\|Upon employment\|- Education history (highest degree) </br>- Employment history (7-yr history) </br>- Social Security Number search </br>- Criminal history check (7-yr history) </br>- Office of Foreign Assets Control (OFAC) list </br>- Bureau of Industry and Security (BIS) list </br>- Office of Defense Trade Controls (DDTC) debarred list\| +\|Cloud screen\|Azure </br>Azure Gov\|Every two years\|- Social Security Number search </br>- Criminal history check (7-yr history) </br>- Office of Foreign Assets Control (OFAC) list </br>- Bureau of Industry and Security (BIS) list </br>- Office of Defense Trade Controls (DDTC) debarred list\| \|US citizenship\|Azure Gov\|Upon employment\|- Verification of US citizenship\| \|Criminal Justice Information Services (CJIS)\|Azure Gov\|Upon signed CJIS agreement with State\|- Adds fingerprint background check against FBI database </br>- Criminal records check and credit check\| \|Tier 3 Investigation\|Azure Gov\|Upon signed contract with sponsoring agency\|- Detailed background and criminal history investigation (Form SF 86 required)\|
azure-monitor	Alerts Action Rules	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-action-rules.md	For example, to create a rule that adds an action group to all alerts in a subsc az monitor alert-processing-rule create \ --name 'AddActionGroupToSubscription' \ --rule-type AddActionGroups \scopes "/subscriptions/MySubscriptionId" \action-groups "/subscriptions/MySubscriptionId/resourcegroups/MyResourceGroup1/providers/microsoft.insights/actiongroups/ActionGroup1" \ +--scopes "/subscriptions/sub1" \ +--action-groups "/subscriptions/sub1/resourcegroups/rg1/providers/microsoft.insights/actiongroups/ag1" \ --enabled true \resource-group alertscorrelationrg \description "Add ActionGroup1 to all alerts in the subscription" +--resource-group rg1 \ +--description "Add action group ag1 to all alerts in the subscription" +``` + +The [CLI documentation](/cli/azure/monitor/alert-processing-rule#az-monitor-alert-processing-rule-create) include more examples and an explanation of each parameter. + +### [PowerShell](#tab/powershell) + +### Create an alert processing rule using PowerShell + +Use the `Set-AzAlertProcessingRule` command to create alert processing rules. +For example, to create a rule that adds an action group to all alerts in a subscription, run: + +```powershell +Set-AzAlertProcessingRule -ResourceGroupName rg1 -Name AddActionGroupToSubscription -Scope /subscriptions/MySubId -Description "Add action group ag1 to all alerts in the subscription" -AlertProcessingRuleType AddActionGroups -ActionGroupId /subscriptions/sub1/resourcegroups/rg1/providers/microsoft.insights/actiongroups/ag1 + ``` The [CLI documentation](/cli/azure/monitor/alert-processing-rule#az-monitor-alert-processing-rule-create) include more examples and an explanation of each parameter. az monitor alert-processing-rules update --resource-group MyResourceGroupName -- az monitor alert-processing-rules delete --resource-group MyResourceGroupName --name MyRule ``` +### [PowerShell](#tab/powershell) + +You can view and manage your alert processing rules using the [\-AzAlertProcessingRule](/powershell/module/az.alertsmanagement) commands from Azure CLI. + +Before you manage alert processing rules with the Azure CLI, prepare your environment using the instructions provided in [Configuring an alert processing rule](#configuring-an-alert-processing-rule). + +```powershell +# List all alert processing rules for a subscription +Get-AzAlertProcessingRule + +# Get details of an alert processing rule +Get-AzAlertProcessingRule -ResourceGroupName MyResourceGroupName -Name MyRule \| Format-List + +# Update an alert processing rule +Update-AzAlertProcessingRule -ResourceGroupName MyResourceGroupName -Name MyRule -Enabled False + +# Delete an alert processing rule +Remove-AzAlertProcessingRule -ResourceGroupName MyResourceGroupName -Name MyRule +``` + * * ## Next steps
azure-monitor	Convert Classic Resource	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/convert-classic-resource.md	# Migrate to workspace-based Application Insights resources -This guide will walk you through the process of migrating a classic Application Insights resource to a workspace-based resource. Workspace-based resources support full integration between Application Insights and Log Analytics. Workspace-based resources send Application Insights telemetry to a common Log Analytics workspace, which allows you to access [the latest features of Azure Monitor](#new-capabilities) while keeping application, infrastructure, and platform logs in a single consolidated location. +This guide will walk you through migrating a classic Application Insights resource to a workspace-based resource. Workspace-based resources support full integration between Application Insights and Log Analytics. Workspace-based resources send Application Insights telemetry to a common Log Analytics workspace. This behavior allows you to access [the latest features of Azure Monitor](#new-capabilities) while keeping application, infrastructure, and platform logs in a consolidated location. -Workspace-based resources enables common Azure role-based access control (Azure RBAC) across your resources, and eliminates the need for cross-app/workspace queries. +Workspace-based resources enable common Azure role-based access control (Azure RBAC) across your resources, and eliminate the need for cross-app/workspace queries. Workspace-based resources are currently available in all commercial regions and Azure US Government Workspace-based Application Insights allows you to take advantage of all the lat * [Customer-Managed Keys (CMK)](../logs/customer-managed-keys.md) provides encryption at rest for your data with encryption keys that only you have access to. * [Azure Private Link](../logs/private-link-security.md) allows you to securely link Azure PaaS services to your virtual network using private endpoints. -* [Bring Your Own Storage (BYOS) for Profiler and Snapshot Debugger](./profiler-bring-your-own-storage.md) gives you full control over the encryption-at-rest policy, the lifetime management policy, and network access for all data associated with Application Insights Profiler and Snapshot Debugger. -* [Commitment Tiers](../logs/manage-cost-storage.md#pricing-model) enable you to save as much as 30% compared to the Pay-As-You-Go price. Otherwise, Pay-as-you-go data ingestion and data retention are billed similarly in Log Anaytics as they are in Application Insights. +* [Bring Your Own Storage (BYOS) for Profiler and Snapshot Debugger](./profiler-bring-your-own-storage.md) gives you full control over: + - Encryption-at-rest policy + - Lifetime management policy + - Network access for all data associated with Application Insights Profiler and Snapshot Debugger +* [Commitment Tiers](../logs/manage-cost-storage.md#pricing-model) enable you to save as much as 30% compared to the Pay-As-You-Go price. Otherwise, Pay-as-you-go data ingestion and data retention are billed similarly in Log Analytics as they are in Application Insights. * Faster data ingestion via Log Analytics streaming ingestion. ## Migration process -When you migrate to a workspace-based resource, no data is transferred from your classic resource's storage to the new workspace-based storage. Choosing to migrate will instead change the location where new data is written to a Log Analytics workspace while preserving access to your classic resource data. +When you migrate to a workspace-based resource, no data is transferred from your classic resource's storage to the new workspace-based storage. Choosing to migrate will change the location where new data is written to a Log Analytics workspace while preserving access to your classic resource data. Your classic resource data will persist and be subject to the retention settings on your classic Application Insights resource. All new data ingested post migration will be subject to the [retention settings](../logs/manage-cost-storage.md#change-the-data-retention-period) of the associated Log Analytics workspace, which also supports [different retention settings by data type](../logs/manage-cost-storage.md#retention-by-data-type). -The migration process is permanent, and cannot be reversed. Once you migrate a resource to workspace-based Application Insights, it will always be a workspace-based resource. However, once you migrate you are able to change the target workspace as often as needed. +The migration process is permanent, and cannot be reversed. Once you migrate a resource to workspace-based Application Insights, it will always be a workspace-based resource. However, once you migrate you're able to change the target workspace as often as needed. +<!-- This note duplicates information in pricing.md. Understanding workspace-based usage and costs has been added as a migration prerequisite. > [!NOTE] -> Data ingestion and retention for workspace-based Application Insights resources are [billed through the Log Analytics workspace](../logs/manage-cost-storage.md) where the data is located. Pay-as-you-go data ingestion and data retention are billed similarly in Log Anaytics as they are in Application Insights. If youΓÇÖve selected data retention greater than 90 days on data ingested into the Classic Application Insights resource prior to migration, data retention will continue to be billed to through that Application Insights resource until that data exceeds the retention period. [Learn more]( ./pricing.md#workspace-based-application-insights) about billing for workspace-based Application Insights resources. +> Data ingestion and retention for workspace-based Application Insights resources are [billed through the Log Analytics workspace](../logs/manage-cost-storage.md) where the data is located. Pay-as-you-go data ingestion and data retention are billed similarly in Log Anaytics as they are in Application Insights. If youΓÇÖve selected data retention greater than 90 days on data ingested into the Classic Application Insights resource prior to migration, data retention will continue to be billed to through that Application Insights resource until that data exceeds the retention period. [Learn more]( ./pricing.md#workspace-based-application-insights) about billing for workspace-based Application Insights resources. +--> If you don't need to migrate an existing resource, and instead want to create a new workspace-based Application Insights resource use the [workspace-based resource creation guide](create-workspace-resource.md). If you don't need to migrate an existing resource, and instead want to create a - A Log Analytics workspace with the access control mode set to the `use resource or workspace permissions` setting. - - Workspace-based Application Insights resources are not compatible with workspaces set to the dedicated `workspace based permissions` setting. To learn more about Log Analytics workspace access control, consult the [Log Analytics configure access control mode guidance](../logs/manage-access.md#configure-access-control-mode) + - Workspace-based Application Insights resources aren't compatible with workspaces set to the dedicated `workspace based permissions` setting. To learn more about Log Analytics workspace access control, consult the [Log Analytics configure access control mode guidance](../logs/manage-access.md#configure-access-control-mode) - If you don't already have an existing Log Analytics Workspace, [consult the Log Analytics workspace creation documentation](../logs/quick-create-workspace.md). - Continuous export is not supported for workspace-based resources and must be disabled. -Once the migration is complete, you can use [diagnostic settings](../essentials/diagnostic-settings.md) to configure data archiving to a storage account or streaming to Azure Event Hub. +Once the migration is complete, you can use [diagnostic settings](../essentials/diagnostic-settings.md) to configure data archiving to a storage account or streaming to Azure Event Hubs. > [!CAUTION] > Diagnostics settings uses a different export format/schema than continuous export, migrating will break any existing integrations with Stream Analytics. -- Check your current retention settings under General > Usage and estimated costs > Data Retention for your Log Analytics workspace. This setting will impact how long any new ingested data is stored once you migrate your Application Insights resource. If you currently store Application Insights data for longer than the default 90 days and want to retain this larger retention period, you may need to adjust your workspace retention settings. +- Check your current retention settings under General > Usage and estimated costs > Data Retention for your Log Analytics workspace. This setting will affect how long any new ingested data is stored once you migrate your Application Insights resource. + + > [!NOTE] + > - If you currently store Application Insights data for longer than the default 90 days and want to retain this larger retention period, you may need to adjust your workspace retention settings. + > - If youΓÇÖve selected data retention greater than 90 days on data ingested into the Classic Application Insights resource prior to migration, data retention will continue to be billed to through that Application Insights resource until that data exceeds the retention period. + +- Understand [Workspace-based Application Insights](pricing.md#workspace-based-application-insights) usage and costs. ## Migrate your resource -This section will walk you through the process of migrating a classic Application Insights resource to the new workspace-based resource type. +This section walks through migrating a classic Application Insights resource to a workspace-based resource. 1. From your Application Insights resource, select Properties under the Configure heading in the left-hand menu bar. This section will walk you through the process of migrating a classic Applicatio ![Migration wizard UI with option to select targe workspace](./media/convert-classic-resource/migration.png) -Once your resource is migrated, you will see the corresponding workspace info in the Overview pane: +Once your resource is migrated, you'll see the corresponding workspace info in the Overview pane: ![Workspace Name](./media/create-workspace-resource/workspace-name.png) We still provide full backwards compatibility for your Application Insights clas To write queries against the [new workspace-based table structure/schema](apm-tables.md), you must first navigate to your Log Analytics workspace. -When you query directly from the Log Analytics UI within your workspace, you will only see the data that is ingested post migration. To see both your classic Application Insights data + new data ingested after migration in a unified query experience use the Logs (Analytics) query view from within your migrated Application Insights resource. +When you query directly from the Log Analytics UI within your workspace, you'll only see the data that is ingested post migration. To see both your classic Application Insights data + new data ingested after migration in a unified query experience use the Logs (Analytics) query view from within your migrated Application Insights resource. > [!NOTE] > If you rename your Application Insights resource after migrating to workspace-based model, the Application Insights Logs tab will no longer show the telemetry collected before renaming. You will be able to see all data (old and new) on the Logs tab of the associated Log Analytics resource. To access the preview Application Insights Azure CLI commands, you first need to az extension add -n application-insights ``` -If you don't run the `az extension add` command, you will see an error message that states: `az : ERROR: az monitor: 'app-insights' is not in the 'az monitor' command group. See 'az monitor --help'.` +If you don't run the `az extension add` command, you'll see an error message that states: `az : ERROR: az monitor: 'app-insights' is not in the 'az monitor' command group. See 'az monitor --help'.` Now you can run the following to create your Application Insights resource: For the full Azure CLI documentation for this command, consult the [Azure CLI d ### Azure PowerShell -The `Update-AzApplicationInsights` PowerShell command does not currently support migrating a classic Application Insights resource to workspace-based. To create a workspace-based resource with PowerShell, you can use the Azure Resource Manager templates below and deploy with PowerShell. +The `Update-AzApplicationInsights` PowerShell command doesn't currently support migrating a classic Application Insights resource to workspace-based. To create a workspace-based resource with PowerShell, you can use the Azure Resource Manager templates below and deploy with PowerShell. ### Azure Resource Manager templates From within the Application Insights resource pane, select Properties > Ch In order for your workspace-based Application Insights resource to operate properly you need to change the access control mode of your target Log Analytics workspace to the resource or workspace permissions setting. This setting is located in the Log Analytics workspace UI under Properties > Access control mode. For detailed instructions, consult the [Log Analytics configure access control mode guidance](../logs/manage-access.md#configure-access-control-mode). If your access control mode is set to the exclusive Require workspace permissions setting, migration via the portal migration experience will remain blocked. -If you cannot change the access control mode for security reasons for your current target workspace, we recommend creating a new Log Analytics workspace to use for the migration. +If you canΓÇÖt change the access control mode for security reasons for your current target workspace, we recommend creating a new Log Analytics workspace to use for the migration. ### Continuous export Error message:** Continuous Export needs to be disabled before continuing. After migration, use Diagnostic Settings for export. -The legacy continuous export functionality is not supported for workspace-based resources. Prior to migrating you need to disable continuous export. +The legacy continuous export functionality isn't supported for workspace-based resources. Prior to migrating you need to disable continuous export. 1. From your Application Insights resource view, under the Configure heading select Continuous Export. The legacy continuous export functionality is not supported for workspace-based ![Continuous export disable button](./media/convert-classic-resource/disable.png) -- Once you have selected disable, you can navigate back to the migration UI. If the edit continuous export page prompts you that your settings won't be saved, you can select ok for this prompt as it does not pertain to disabling/enabling continuous export. +- Once you have selected disable, you can navigate back to the migration UI. If the edit continuous export page prompts you that your settings won't be saved, you can select ok for this prompt as it doesn't pertain to disabling/enabling continuous export. -- Once you have successfully migrated your Application Insights resource to workspace-based, you can use Diagnostic settings to replace the functionality that continuous export used to provide. Select Diagnostic settings > add diagnostic setting from within your Application Insights resource. You can select all tables, or a subset of tables to archive to a storage account, or to stream to an Azure Event Hub. For detailed guidance on diagnostic settings, refer to the [Azure Monitor diagnostic settings guidance](../essentials/diagnostic-settings.md). +- Once you've successfully migrated your Application Insights resource to workspace-based, you can use Diagnostic settings to replace the functionality that continuous export used to provide. Select Diagnostic settings > add diagnostic setting from within your Application Insights resource. You can select all tables, or a subset of tables to archive to a storage account, or to stream to Azure Event Hubs. For detailed guidance on diagnostic settings, refer to the [Azure Monitor diagnostic settings guidance](../essentials/diagnostic-settings.md). ### Retention settings -Warning Message: Your customized Application Insights retention settings will not apply to data sent to the workspace. You will need to reconfigure this separately. +Warning Message: Your customized Application Insights retention settings will not apply to data sent to the workspace. You'll need to reconfigure these separately. -You don't have to make any changes prior to migrating, but this message is to alert you that your current Application Insights retention settings are not set to the default 90-day retention period. This warning message means you may want to modify the retention settings for your Log Analytics workspace prior to migrating and starting to ingest new data. +You don't have to make any changes prior to migrating. This message alerts you that your current Application Insights retention settings aren't set to the default 90-day retention period. This warning message means you may want to modify the retention settings for your Log Analytics workspace prior to migrating and starting to ingest new data. -You can check your current retention settings for Log Analytics under General > Usage and estimated costs > Data Retention from within the Log Analytics UI. This setting will impact how long any new ingested data is stored once you migrate your Application Insights resource. +You can check your current retention settings for Log Analytics under General > Usage and estimated costs > Data Retention from within the Log Analytics UI. This setting will affect how long any new ingested data is stored once you migrate your Application Insights resource. ## Next steps * [Explore metrics](../essentials/metrics-charts.md) -* [Write Analytics queries](../logs/log-query-overview.md) +* [Write Analytics queries](../logs/log-query-overview.md)
azure-monitor	Log Analytics Workspace Insights Overview	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/log-analytics-workspace-insights-overview.md	Or The data is organized in tabs, and the time range on top (defaults to 24 hours) applies to all tabs. Some charts and tables use a different time range, as indicated in their titles. -### Overview tab +## Overview tab On the Overview tab you can see: On the Overview tab you can see: - Ingestion anomalies - a list of identified spikes and dips in ingestion to these tables -### Usage tab +## Usage tab -#### Usage dashboard +### Usage dashboard This tab provides information on the workspace's usage. The dashboard sub-tab shows ingestion data of by tables, and defaults to the 5 most ingested tables in the selected time range (same tables displayed in the Overview page). You can choose which tables to display through the Workspace Tables dropdown. The dashboard sub-tab shows ingestion data of by tables, and defaults to the 5 m The chart below it shows separately the latency of the agent (the time it took the agent to send the log to the workspace) and that of the pipeline (the time it took the service to process the data and push it to the workspace). :::image type="content" source="media/log-analytics-workspace-insights-overview/workspace-usage-ingestion-latency.png" alt-text="Screenshot of the workspace usage ingestion latency sub-tab" lightbox="media/log-analytics-workspace-insights-overview/workspace-usage-ingestion-latency.png"::: -#### Additional usage queries +### Additional usage queries The Additional queries sub-tab exposes queries that run across all workspace tables (instead of relying on the usage metadata, refreshed hourly). Since their queries are much more extensive and less efficient, they are not run automatically. However, they can surface interesting information about which resources send most logs to the workspace, and perhaps affect billing. In our demo workspace, you can clearly see that 3 Kuberbetes clusters send far m :::image type="content" source="media/log-analytics-workspace-insights-overview/workspace-usage-additional-query-run.png" alt-text="Screenshot of the workspace usage additional queries tab with results of an additional query" lightbox="media/log-analytics-workspace-insights-overview/workspace-usage-additional-query-run.png"::: -### Health tab +## Health tab This tab shows the workspace health state and when it was last reported, as well as operational [errors and warnings](../logs/monitor-workspace.md) (retrieved from the _LogOperation table). You can find more details on the listed issues as well as mitigation steps in [here](../logs/monitor-workspace.md#categories). :::image type="content" source="media/log-analytics-workspace-insights-overview/workspace-health.png" alt-text="Screenshot of the workspace health tab" lightbox="media/log-analytics-workspace-insights-overview/workspace-health.png"::: -### Agents tab +## Agents tab This tab provides information on the agents sending logs to this workspace. :::image type="content" source="media/log-analytics-workspace-insights-overview/workspace-agents.png" alt-text="Screenshot of the workspae agents tab" lightbox="media/log-analytics-workspace-insights-overview/workspace-agents.png"::: This tab provides information on the agents sending logs to this workspace. * Agents activity - this grid shows information on either all agents, healthy or unhealthy agents. Here too "Healthy" only indicated the agent send a heartbeat during the last hour. To understand its state better, review the trend shown in the grid - it shows how many heartbeats this agent sent over time. The true health state can only be inferred if you know how the monitored resource operates, for example - If a computer is intentionally shut down at particular times, you can expect the agent's heartbeats to appear intermittenly, in a matching pattern. -### Query audit tab +## Query audit tab Query auditing creates logs about the execution of queries on the workspace. If enabled, this data is greatly beneficial to understanding and improving queries performance, efficiency and load. To enable query auditing on your workspace or learn more about it, see [Audit queries in Azure Monitor Logs](../logs/query-audit.md). This tab shows: :::image type="content" source="media/log-analytics-workspace-insights-overview/workspace-query-audit-performance.png" alt-text="Screenshot of the query audit tab, performance sub-tab]" lightbox="media/log-analytics-workspace-insights-overview/workspace-query-audit-performance.png"::: -#### Slow and inefficient queries +### Slow and inefficient queries This tab shows two grids to help you identify slow and inefficient queries you may want to re-think. These queries should not be used in dashboards or alerts, since they will create unneeded chronic load on your workspace. * Most resource-intensive queries - the 10 most CPU-demanding queries, along with the volume of data processed (KB), the time range and text of each query. * Slowest queries - the 10 slowest queries, along with the time range and text of each query. :::image type="content" source="media/log-analytics-workspace-insights-overview/workspace-query-audit-slow-queries.png" alt-text="Screenshot of the query audit tab, slow queries sub-tab" lightbox="media/log-analytics-workspace-insights-overview/workspace-query-audit-slow-queries.png"::: -#### Query users +### Query users This tab shows users activity against this workspace: * Queries by user - how many queries each user ran in the selected time range * Throttled users - users that ran queries that were throttled (due to over-querying the workspace) -### Change log tab +## Change log tab This tab shows configuration changes made on the workspace during the last 90 days (regardless of the time range selected), and who performed them. It is intended to help you monitor who changes important workspace settings, such as data capping or workspace license.
azure-monitor	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Monitor description: Lists Azure Policy Regulatory Compliance controls available for Azure Monitor. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
azure-resource-manager	Create Private Link Access Portal	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/create-private-link-access-portal.md	Last updated 07/29/2021 -# Use portal to create private link for managing Azure resources +# Use portal to create private link for managing Azure resources (preview) This article explains how you can use [Azure Private Link](../../private-link/index.yml) to restrict access for managing resources in your subscriptions. It shows using the Azure portal for setting up management of resources through private access.
azure-resource-manager	Create Private Link Access Rest	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/create-private-link-access-rest.md	Last updated 07/29/2021 -# Use REST API to create private link for managing Azure resources +# Use REST API to create private link for managing Azure resources (preview) This article explains how you can use [Azure Private Link](../../private-link/index.yml) to restrict access for managing resources in your subscriptions. If your request is automatically approved, you can continue to the next section. ## Next steps -To learn more about private links, see [Azure Private Link](../../private-link/index.yml). +To learn more about private links, see [Azure Private Link](../../private-link/index.yml).
azure-resource-manager	Manage Private Link Access Rest	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/manage-private-link-access-rest.md	Last updated 07/29/2021 -# Manage resource management private links with REST API +# Manage resource management private links with REST API (preview) This article explains how you to work with existing resource management private links. It shows REST API operations for getting and deleting existing resources. The operation returns: ## Next steps * To learn more about private links, see [Azure Private Link](../../private-link/index.yml). -* To create a resource management private links, see [Use portal to create private link for managing Azure resources](create-private-link-access-portal.md) or [Use REST API to create private link for managing Azure resources](create-private-link-access-rest.md). +* To create a resource management private links, see [Use portal to create private link for managing Azure resources](create-private-link-access-portal.md) or [Use REST API to create private link for managing Azure resources](create-private-link-access-rest.md).
azure-resource-manager	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Resource Manager description: Lists Azure Policy Regulatory Compliance controls available for Azure Resource Manager. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
azure-signalr	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure SignalR description: Lists Azure Policy Regulatory Compliance controls available for Azure SignalR. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
azure-sql	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-sql/database/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure SQL Database description: Lists Azure Policy Regulatory Compliance controls available for Azure SQL Database and SQL Managed Instance. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
backup	Backup Azure Afs Automation	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-afs-automation.md	$afsPol = Get-AzRecoveryServicesBackupProtectionPolicy -Name "dailyafs" Enable protection by using [Enable-AzRecoveryServicesBackupProtection](/powershell/module/az.recoveryservices/enable-azrecoveryservicesbackupprotection). After the policy is associated with the vault, backups are triggered in accordance with the policy schedule. -The following example enables protection for the Azure file share testAzureFileShare in storage account testStorageAcct, with the policy dailyafs: +The following example enables protection for the Azure file share testAzureFS in storage account testStorageAcct, with the policy dailyafs: ```azurepowershell-interactive Enable-AzRecoveryServicesBackupProtection -StorageAccountName "testStorageAcct" -Name "testAzureFS" -Policy $afsPol
backup	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Backup description: Lists Azure Policy Regulatory Compliance controls available for Azure Backup. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
batch	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Batch description: Lists Azure Policy Regulatory Compliance controls available for Azure Batch. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
cognitive-services	Translator How To Install Container	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/Translator/containers/translator-how-to-install-container.md	See the list of [languages supported](../language-support.md) when using Transla > [!IMPORTANT] > > * Translator container is in gated preview and to use it you must submit an online request, and have it approved. See [Request approval to run container](#request-approval-to-run-container) below for more information. -> * Translator container supports limited features compared to the cloud offerings. Please refer to Container: Translate for more details. +> * Translator container supports limited features compared to the cloud offerings. See [Container translate methods](translator-container-supported-parameters.md) for more details. <!-- markdownlint-disable MD033 -->
cognitive-services	Cognitive Services Apis Create Account	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/cognitive-services-apis-create-account.md	keywords: cognitive services, cognitive intelligence, cognitive solutions, ai services - Previously updated : 10/28/2021+ Last updated : 03/03/2022 Azure Cognitive Services are cloud-based services with REST APIs, and client lib ## Create a new Azure Cognitive Services resource -1. Create a resource. +### [Multi-service](#tab/multiservice) -### [Multi-service resource](#tab/multiservice) +The multi-service resource is named Cognitive Services in the portal. The multi-service resource enables access to the following Cognitive -The multi-service resource is named Cognitive Services in the portal. [Create a Cognitive Services resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne). +* Decision - Content Moderator +* Language - Language, Translator +* Speech - Speech +* Vision - Computer Vision, Custom Vision, Face -At this time, the multi-service resource enables access to the following Cognitive +1. You can select this link to create an Azure Cognitive multi-service resource: [Create a Cognitive Services resource](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne). -* Vision - Computer Vision, Custom Vision, Face -* Speech - Speech -* Language - Language, Translator -* Decision - Content Moderator +1. On the Create page, provide the following information: -### [Single-service resource](#tab/singleservice) + [!INCLUDE [Create Azure resource for subscription](./includes/quickstarts/cognitive-resource-project-details.md)] + + :::image type="content" source="media/cognitive-services-apis-create-account/resource_create_screen-multi.png" alt-text="Multi-service resource creation screen"::: -Use the below links to create a resource for the available Cognitive +1. Configure additional settings for your resource as needed, read and accept the conditions (as applicable), and then select Review + create. -\| Vision \| Speech \| Language \| Decision \| -\|--\|-\|--\|-\| -\| [Computer vision](https://portal.azure.com/#create/Microsoft.CognitiveServicesComputerVision) \| [Speech Services](https://portal.azure.com/#create/Microsoft.CognitiveServicesSpeechServices) \| [Immersive reader](https://portal.azure.com/#create/Microsoft.CognitiveServicesImmersiveReader) \| [Anomaly Detector](https://portal.azure.com/#create/Microsoft.CognitiveServicesAnomalyDetector) \| -\| [Custom vision service](https://portal.azure.com/#create/Microsoft.CognitiveServicesCustomVision) \| \| [Language Understanding (LUIS)](https://portal.azure.com/#create/Microsoft.CognitiveServicesLUISAllInOne) \| [Content Moderator](https://portal.azure.com/#create/Microsoft.CognitiveServicesContentModerator) \| -\| [Face](https://portal.azure.com/#create/Microsoft.CognitiveServicesFace) \| \| [QnA Maker](https://portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) \| [Personalizer](https://portal.azure.com/#create/Microsoft.CognitiveServicesPersonalizer) \| -\| \| \| [Language service](https://portal.azure.com/#create/Microsoft.CognitiveServicesTextAnalytics) \| [Metrics Advisor](https://go.microsoft.com/fwlink/?linkid=2142156) \| -\| \| \| [Translator](https://portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) \| \| +### [Decision](#tab/decision) - +1. You can select one of these links to create a Decision resource: + - [Anomaly Detector](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesAnomalyDetector) + - [Content Moderator](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesContentModerator) + - [Metrics Advisor](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesMetricsAdvisor) + - [Personalizer](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesPersonalizer) + +1. On the Create page, provide the following information: -2. On the Create page, provide the following information: -<!-- markdownlint-disable MD024 --> + [!INCLUDE [Create Azure resource for subscription](./includes/quickstarts/cognitive-resource-project-details.md)] -### [Multi-service resource](#tab/multiservice) +1. Configure additional settings for your resource as needed, read and accept the conditions (as applicable), and then select Review + create. -\|Project details\| Description \| -\|--\|--\| -\| Subscription \| Select one of your available Azure subscriptions. \| -\| Resource group \| The Azure resource group that will contain your Cognitive Services resource. You can create a new group or add it to a pre-existing group. \| -\| Region \| The location of your cognitive service instance. Different locations may introduce latency, but have no impact on the runtime availability of your resource. \| -\| Name \| A descriptive name for your cognitive services resource. For example, MyCognitiveServicesResource. \| -\| Pricing tier \| The cost of your Cognitive Services account depends on the options you choose and your usage. For more information, see the API [pricing details](https://azure.microsoft.com/pricing/details/cognitive-services/). +### [Language](#tab/language) -<!--![Multi-service resource creation screen](media/cognitive-services-apis-create-account/resource_create_screen-multi.png)--> +1. You can select one of these links to create a Language resource: + - [Immersive reader](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesImmersiveReader) + - [Language Understanding (LUIS)](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesLUISAllInOne) + - [Language service](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesTextAnalytics) + - [Translator](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) + - [QnA Maker](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesQnAMaker) -Read and accept the conditions (as applicable for you) and then select Review + create. +1. On the Create page, provide the following information: -### [Single-service resource](#tab/singleservice) + [!INCLUDE [Create Azure resource for subscription](./includes/quickstarts/cognitive-resource-project-details.md)] -\|Project details\| Description \| -\|--\|--\| -\| Subscription \| Select one of your available Azure subscriptions. \| -\| Resource group \| The Azure resource group that will contain your Cognitive Services resource. You can create a new group or add it to a pre-existing group. \| -\| Region \| The location of your cognitive service instance. Different locations may introduce latency, but have no impact on the runtime availability of your resource. \| -\| Name \| A descriptive name for your cognitive services resource. For example, MyCognitiveServicesResource. \| -\| Pricing tier \| The cost of your Cognitive Services account depends on the options you choose and your usage. For more information, see the API [pricing details](https://azure.microsoft.com/pricing/details/cognitive-services/). +1. Configure additional settings for your resource as needed, read and accept the conditions (as applicable), and then select Review + create. -<!--![Single-service resource creation screen](media/cognitive-services-apis-create-account/resource_create_screen.png)--> +### [Speech](#tab/speech) -Select Next: Virtual Network and choose the type of network access you want to allow for your resource, and then select Review + create. +1. You can select this link to create a Speech resource: [Speech Services](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesSpeechServices) + +1. On the Create page, provide the following information: + + [!INCLUDE [Create Azure resource for subscription](./includes/quickstarts/cognitive-resource-project-details.md)] + +1. Configure additional settings for your resource as needed, read and accept the conditions (as applicable), and then select Review + create. + +### [Vision](#tab/vision) + +1. You can select one of these links to create a Vision resource: + - [Computer vision](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesComputerVision) + - [Custom vision service](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesCustomVision) + - [Face](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesFace) + +1. On the Create page, provide the following information: + + [!INCLUDE [Create Azure resource for subscription](./includes/quickstarts/cognitive-resource-project-details.md)] + +1. Configure additional settings for your resource as needed, read and accept the conditions (as applicable), and then select Review + create. Select Next: Virtual Network and choose the type of network access you want ## Get the keys for your resource -1. After your resource is successfully deployed, click on Go to resource under Next Steps. +1. After your resource is successfully deployed, select Next Steps > Go to resource. + + :::image type="content" source="media/cognitive-services-apis-create-account/cognitive-services-resource-deployed.png" alt-text="Get resource keys screen"::: - ![Search for Cognitive Services](media/cognitive-services-apis-create-account/resource-next-steps.png) +1. From the quickstart pane that opens, you can access the resource endpoint and manage keys. -2. From the quickstart pane that opens, you can access your key and endpoint. +1. If you missed the previous steps or need to find your resource later, go to the [Azure services](https://ms.portal.azure.com/#home) home page. From here you can view recent resources, select My resources, or use the search box to find your resource by name. - ![Get key and endpoint](media/cognitive-services-apis-create-account/get-cog-serv-keys.png) + :::image type="content" source="media/cognitive-services-apis-create-account/home-my-resources.png" alt-text="Find resource keys from home screen"::: [!INCLUDE [cognitive-services-environment-variables](../../includes/cognitive-services-environment-variables.md)] Select Next: Virtual Network and choose the type of network access you want If you want to clean up and remove a Cognitive Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources contained in the group. 1. In the Azure portal, expand the menu on the left side to open the menu of services, and choose Resource Groups to display the list of your resource groups. -2. Locate the resource group containing the resource to be deleted -3. Right-click on the resource group listing. Select Delete resource group, and confirm. +1. Locate the resource group containing the resource to be deleted +1. Right-click on the resource group listing. Select Delete resource group, and confirm. If you need to recover a deleted resource, see [Recover deleted Cognitive Services resources](manage-resources.md).
cognitive-services	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cognitive-services/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Cognitive Services description: Lists Azure Policy Regulatory Compliance controls available for Azure Cognitive Services. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
container-registry	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Container Registry description: Lists Azure Policy Regulatory Compliance controls available for Azure Container Registry. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
cosmos-db	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Cosmos DB description: Lists Azure Policy Regulatory Compliance controls available for Azure Cosmos DB. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
data-lake-analytics	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-analytics/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Analytics description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Analytics. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
data-lake-store	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Storage Gen1 description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Storage Gen1. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
databox	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Data Box description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Box. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
defender-for-cloud	Recommendations Reference Aws	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/recommendations-reference-aws.md	Title: Reference table for all Microsoft Defender for Cloud recommendations for AWS resources description: This article lists Microsoft Defender for Cloud's security recommendations that help you harden and protect your AWS resources. Previously updated : 01/12/2022 Last updated : 03/13/2022 # Security recommendations for AWS resources - a reference guide
defender-for-cloud	Release Notes	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/release-notes.md	Updates in March include: - [Defender for Containers can now scan for vulnerabilities in Windows images (preview)](#defender-for-containers-can-now-scan-for-vulnerabilities-in-windows-images-preview) - [New alert for Microsoft Defender for Storage (preview)](#new-alert-for-microsoft-defender-for-storage-preview) - [Configure email notifications settings from an alert](#configure-email-notifications-settings-from-an-alert) - +- [Deprecated preview alert: ARM.MCAS_ActivityFromAnonymousIPAddresses](#deprecated-preview-alert-armmcas_activityfromanonymousipaddresses) + ### Deprecated the recommendations to install the network traffic data collection agent Changes in our roadmap and priorities have removed the need for the network traffic data collection agent. Consequently, the following two recommendations and their related policies were deprecated. A new section has been added to the alert User Interface (UI) which allows you t Learn how to [Configure email notifications for security alerts](configure-email-notifications.md). +### Deprecated preview alert: ARM.MCAS_ActivityFromAnonymousIPAddresses + +The following preview alert has been deprecated: + +\|Alert name\| Description\| +\|-\|\| +\|PREVIEW - Activity from a risky IP address<br>(ARM.MCAS_ActivityFromAnonymousIPAddresses)\|Users activity from an IP address that has been identified as an anonymous proxy IP address has been detected.<br>These proxies are used by people who want to hide their device's IP address, and can be used for malicious intent. This detection uses a machine learning algorithm that reduces false positives, such as mis-tagged IP addresses that are widely used by users in the organization.<br>Requires an active Microsoft Defender for Cloud Apps license.\| + +A new alert has been created that provides this information and adds to it. In addition, the newer alerts (ARM_OperationFromSuspiciousIP, ARM_OperationFromSuspiciousProxyIP) doesn't require a license for Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security). + +See more alerts for [Resource Manager](alerts-reference.md#alerts-resourcemanager). + ## February 2022 Updates in February include:
defender-for-cloud	Upcoming Changes	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/upcoming-changes.md	Title: Important changes coming to Microsoft Defender for Cloud description: Upcoming changes to Microsoft Defender for Cloud that you might need to be aware of and for which you might need to plan Previously updated : 03/08/2022 Last updated : 03/13/2022 # Important upcoming changes to Microsoft Defender for Cloud If you're looking for the latest release notes, you'll find them in the [What's \| Planned change \| Estimated date for change \| \|--\|--\| -\| [Deprecating a preview alert: ARM.MCAS_ActivityFromAnonymousIPAddresses](#deprecating-a-preview-alert-armmcas_activityfromanonymousipaddresses) \| January 2022 \| \| [Legacy implementation of ISO 27001 is being replaced with new ISO 27001:2013](#legacy-implementation-of-iso-27001-is-being-replaced-with-new-iso-270012013) \| January 2022 \| \| [Deprecating the recommendation to use service principals to protect your subscriptions](#deprecating-the-recommendation-to-use-service-principals-to-protect-your-subscriptions) \| February 2022 \| \| [Moving recommendation Vulnerabilities in container security configurations should be remediated from the secure score to best practices](#moving-recommendation-vulnerabilities-in-container-security-configurations-should-be-remediated-from-the-secure-score-to-best-practices) \| February 2022 \| If you're looking for the latest release notes, you'll find them in the [What's \| [Deprecating Microsoft Defender for IoT device alerts](#deprecating-microsoft-defender-for-iot-device-alerts) \| March 2022 \| \| [Multiple changes to identity recommendations](#multiple-changes-to-identity-recommendations) \| May 2022 \| -### Deprecating a preview alert: ARM.MCAS_ActivityFromAnonymousIPAddresses - -Estimated date for change: January 2022 - -We'll be deprecating the following preview alert: - -\|Alert name\| Description\| -\|-\|\| -\|PREVIEW - Activity from a risky IP address<br>(ARM.MCAS_ActivityFromAnonymousIPAddresses)\|Users activity from an IP address that has been identified as an anonymous proxy IP address has been detected.<br>These proxies are used by people who want to hide their device's IP address, and can be used for malicious intent. This detection uses a machine learning algorithm that reduces false positives, such as mis-tagged IP addresses that are widely used by users in the organization.<br>Requires an active Microsoft Defender for Cloud Apps license.\| -\|\|\| - -We've created new alerts that provide this information and add to it. In addition, the newer alerts (ARM_OperationFromSuspiciousIP, ARM_OperationFromSuspiciousProxyIP) don't require a license for Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security). - ### Legacy implementation of ISO 27001 is being replaced with new ISO 27001:2013 Estimated date for change: January 2022
defender-for-iot	Troubleshoot Defender Micro Agent	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/device-builders/troubleshoot-defender-micro-agent.md	# Defender for IoT micro agent troubleshooting (Preview) -If an unexpected error occurs, you canΓÇ»use these troubleshooting methods in an attempt to resolve the issue. You can also reach out to the AzureΓÇ»Defender for CloudΓÇ»for IoTΓÇ»product team for assistance as needed.ΓÇ»ΓÇ» +If an unexpected error occurs, you canΓÇ»use these troubleshooting methods in an attempt to resolve the issue. ## Service status
defender-for-iot	Tutorial Configure Your Solution	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/device-builders/tutorial-configure-your-solution.md	Once enabled, Defender for IoT will automatically identify other Azure services, You can select other Azure resource groups that are part of your IoT solution. Your selections allow you to add entire subscriptions, resource groups, or single resources. -After defining all of the resource relationships, Defender for IoT will use Defender for Cloud to provide you security recommendations, and alerts for your resources. - In this tutorial you'll learn how to: > [!div class="checklist"]
defender-for-iot	Tutorial Standalone Agent Binary Installation	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/device-builders/tutorial-standalone-agent-binary-installation.md	You will need to copy the module identity connection string from the DefenderIoT :::image type="content" source="media/quickstart-standalone-agent-binary-installation/copy-button.png" alt-text="Select the copy button to copy the Connection string (primary key)."::: -1. Create a file named `connection_string.txt` containing the copied connection string encoded in utf-8 in the Defender for Cloud agent directory `/etc/defender_iot_micro_agent` path by entering the following command: +1. Create a file named `connection_string.txt` containing the copied connection string encoded in utf-8 in the Defender for IoT agent directory `/etc/defender_iot_micro_agent` path by entering the following command: ```bash sudo bash -c 'echo "<connection string>" > /etc/defender_iot_micro_agent/connection_string.txt' ``` The `connection_string.txt` will now be located in the following path location `/etc/defender_iot_micro_agent/connection_string.txt`. + Please note that the connection string includes a key that enables direct access to the module itself, therefore includes sensitive information that should only be used and readable by root users. 1. Restart the service using this command: You will need to copy the module identity connection string from the DefenderIoT `HostName=<the host name of the iot hub>;DeviceId=<the id of the device>;ModuleId=<the id of the module>;x509=true` - This string alerts the Defender for Cloud agent, to expect a certificate be provided for authentication. + This string alerts the Defender for IoT agent, to expect a certificate be provided for authentication. 1. Restart the service using the following command:
defender-for-iot	Architecture	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/architecture.md	Microsoft Defender for IoT includes the following components: - Microsoft Defender for IoT sensor VM or appliance - On-premises management console for local site management - ### Microsoft Defender for IoT sensors The Defender for IoT sensors discover, and continuously monitor network devices. Sensors collect ICS network traffic using passive (agentless) monitoring on IoT and OT devices. Managing Microsoft Defender for IoT across hybrid environments is accomplished v ### Sensor console Sensor detections are displayed in the sensor console, where they can be viewed, investigated, and analyzed in a network map, device inventory, and in an extensive range of reports, for example risk assessment reports, data mining queries and attack vectors. You can also use the console to view and handle threats detected by sensor engines, forward information to partner systems, manage users, and more. ### On-premises management console The on-premises management console enables security operations center (SOC) operators to manage and analyze alerts aggregated from multiple sensors into one single dashboard and provides an overall view of the health of the OT networks. Tightly integrated with your SOC workflows and run books, it enables easy priori - Control all sensors ΓÇô configure and monitor all sensors from a single location. - :::image type="content" source="media/architecture/initial-dashboard.png" alt-text="Screen shot of dashboard." lightbox="media/architecture/initial-dashboard.png"::: - ### Azure portal Defender for IoT in the Azure portal in Azure is used to help you:
defender-for-iot	How To Connect Sensor By Proxy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-connect-sensor-by-proxy.md	This article describes how to configure Microsoft Defender for IoT to communicat The proxy uses an encrypted SSL tunnel to transfer data from the sensors to the service. The proxy doesn't inspect, analyze, or cache any data. -The following diagram shows data going from Microsoft Defender for Cloud to IoT sensor in the OT segment to cloud via a proxy located in the IT network, and industrial DMZ. +The following diagram shows data going from Microsoft Defender for IoT to the IoT sensor in the OT segment to cloud via a proxy located in the IT network, and industrial DMZ. :::image type="content" source="media/how-to-connect-sensor-by-proxy/cloud-access.png" alt-text="Connect the sensor to a proxy through the cloud.":::
defender-for-iot	How To Manage Individual Sensors	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-individual-sensors.md	Title: Manage individual sensors description: Learn how to manage individual sensors, including managing activation files, certificates, performing backups, and updating a standalone sensor. Previously updated : 11/09/2021 Last updated : 03/10/2022 The console will display restore failures. ## Update a standalone sensor version -The following procedure describes how to update a standalone sensor by using the sensor console. +This procedure describes how to update a standalone sensor version. If you are upgrading from a version higher than 22.1.x, you can jump straight to [Update your sensor software version](#update-your-sensor-software-version). + +However, if you're upgrading from a version earlier than 22.1.x, make sure to [Download a new activation file for version 22.1.x or higher](#download-a-new-activation-file-for-version-221x-or-higher) before you upgrade, and then [reactivate your sensor](#reactivate-your-sensor-for-version-221x-or-higher) after upgrading. + +Updates from legacy versions may require a series of upgrades. For example, if you still have a sensor version 3.1.1 installed, you'll need to first upgrade to version 10.5.5, and then to a 22.x version. + +### Download a new activation file for version 22.1.x or higher + +Version [22.1.x ](release-notes.md#update-to-version-221x) is a large upgrade with more complicated background processes. You should expect this upgrade to take more time than earlier upgrades have required. + +1. Update your firewall rules between the sensor and the Azure portal. For more information, see [Sensor access to Azure portal](how-to-set-up-your-network.md#sensor-access-to-azure-portal). + +1. In Defender for IoT, select Sites and sensors on the left. + +1. Select the site where you want to update your sensor, and then navigate to the sensor you want to update. + +1. Expand the row for your sensor, select the options ... menu on the right of the row, and then select Prepare to update to 22.x. + + :::image type="content" source="media/how-to-manage-sensors-on-the-cloud/prepare-to-update.png" alt-text="Screenshot of the Prepare to update option." lightbox="media/how-to-manage-sensors-on-the-cloud/prepare-to-update.png"::: + +1. In the Prepare to update sensor to version 22.X message, select Let's go. + +1. When the new activation file is ready, download it and verify that the sensor status has switched to Pending activation. + +### Update your sensor software version 1. In the Azure portal, go to Defender for IoT > Getting started > Updates. The following procedure describes how to update a standalone sensor by using the :::image type="content" source="media/how-to-manage-individual-sensors/defender-for-iot-version.png" alt-text="Screenshot of the upgrade version that appears after you sign in."::: -If you're upgrading from version 10.5.x to version 22.x, make sure to reactivate your sensor. For more information, see [Reactivate a sensor for upgrades to version 22.x from a legacy version](how-to-manage-sensors-on-the-cloud.md#reactivate-a-sensor-for-upgrades-to-version-22x-from-a-legacy-version). +### Reactivate your sensor for version 22.1.x or higher + +If you're upgrading from a legacy version to version 22.1.x or higher, make sure to reactivate your sensor using the activation file you downloaded earlier. + +1. On your sensor, select System settings > Sensor management > Subscription & Mode Activation. -After upgrading to version 22.1.x, the new upgrade log can be found at the following path, accessed via SSH and the cyberx_host user: `/opt/sensor/logs/legacy-upgrade.log`. +1. In the Subscription & Mode Activation pane that appears on the right, select Select file, and then browse to and select your new activation file. +1. In Defender for IoT on the Azure portal, monitor your sensor's activation status. When the sensor is fully activated: + + - The sensor's Overview page shows an activation status of Valid. + - In the Azure portal, on the Sites and sensors page, the sensor is listed as OT cloud connected and with the updated sensor version. + +Your legacy sensors will continue to appear in the Sites and sensors page until you delete them. For more information, see [Manage on-boarded sensors](how-to-manage-sensors-on-the-cloud.md#manage-on-boarded-sensors). + +> [!NOTE] +> After upgrading to version 22.1.x, the new upgrade log can be found at the following path, accessed via SSH and the cyberx_host user: `/opt/sensor/logs/legacy-upgrade.log`. +> ## Forward sensor failure alerts You can forward alerts to third parties to provide details about:
defender-for-iot	How To Manage Sensors On The Cloud	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-sensors-on-the-cloud.md	In such cases, do the following: ### Reactivate a sensor for upgrades to version 22.x from a legacy version -This procedure describes how to reactivate a sensor specifically when upgrading to version 22.x from version 10.5.x. +If you are updating your sensor version from a legacy version to 22.1.x or higher, you'll need a somewhat different activation procedure than for earlier releases. -To reactivate your sensor after a legacy upgrade: +Make sure that you've started with the relevant updates steps for this update. For more information, see [Update a standalone sensor version](how-to-manage-individual-sensors.md#update-a-standalone-sensor-version). -1. Make sure that your sensor is fully upgraded. For more information, see [Update a standalone sensor version](how-to-manage-individual-sensors.md#update-a-standalone-sensor-version). - -1. In Defender for IoT, select Sites and sensors on the left. - -1. Select the site where you want to update your sensor, and then navigate to the sensor you want to update. - -1. Expand the row for your sensor, select the options ... menu on the right of the row, and then select Prepare to update to 22.x. - - :::image type="content" source="media/how-to-manage-sensors-on-the-cloud/prepare-to-update.png" alt-text="Screenshot of the Prepare to update option." lightbox="media/how-to-manage-sensors-on-the-cloud/prepare-to-update.png"::: - -1. In the Prepare to update sensor to version 22.X message, select Let's go. - -1. When the new activation file is ready, download it and verify that the sensor status has switched to Pending activation. - -1. Use your newly downloaded activation file to activate your upgraded sensor. - - 1. On your sensor, select System settings > Sensor management > Subscription & Mode Activation. - - 1. In the Subscription & Mode Activation pane that appears on the right, select Select file, and then browse to and select your new activation file. - -1. In Defender for IoT on the Azure portal, monitor your sensor's activation status. When the sensor is fully activated: - - - The sensor's Overview page shows an activation status of Valid. - - In the Azure portal, on the Sites and sensors page, the sensor is listed as OT cloud connected and with the updated sensor version. - -Your legacy sensors will continue to appear in the Sites and sensors page until you delete them. For more information, see [above](#manage-on-boarded-sensors). +> [!NOTE] +> After upgrading to version 22.1.x, the new upgrade log can be found at the following path, accessed via SSH and the cyberx_host user: `/opt/sensor/logs/legacy-upgrade.log`. +> ## Next steps
defender-for-iot	How To Manage Subscriptions	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-manage-subscriptions.md	Your enterprise may have more than one paying entity. If this is the case you ca Before you subscribe, you should have a sense of how many devices you would like your subscriptions to cover. -Users can also work with trial subscription, which supports monitoring a limited number of devices for 30 days. See [Microsoft Defender for Cloud pricing](https://azure.microsoft.com/pricing/details/azure-defender/) information on committed device prices. +Users can also work with trial subscription, which supports monitoring a limited number of devices for 30 days. See [Microsoft Defender for IoT pricing](https://azure.microsoft.com/pricing/details/defender-for-cloud/#defenderforiot) information on committed device prices. ## Requirements
defender-for-iot	How To Set Up High Availability	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/how-to-set-up-high-availability.md	This deployment is implemented with an on-premises management console pair that When a primary and secondary on-premises management console is paired: -- An on-premises management console SLL certificate is applied to create a secure connection between the primary and secondary appliances. The SLL may be the self-signed certificate installed by default or a certificate installed by the customer. +- An on-premises management console SSL certificate is applied to create a secure connection between the primary and secondary appliances. The SLL may be the self-signed certificate installed by default or a certificate installed by the customer. When validation is `ON`, the appliance should be able to establish connection to the CRL server defined by the certificate.
defender-for-iot	Release Notes	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/release-notes.md	Title: What's new in Microsoft Defender for IoT description: This article lets you know what's new in the latest release of Defender for IoT. Previously updated : 02/15/2022 Last updated : 03/13/2022 # What's new in Microsoft Defender for IoT? The Defender for IoT sensor and on-premises management console update packages i \| Version \| Date released \| End support date \| \|--\|--\|--\| -\| 22.1 \| 02/2022 \| 10/2022 \| +\| 22.1.1 \| 02/2022 \| 10/2022 \| +\| 10.5.5 \| 12/2021 \| 09/2022 \| +\| 10.5.4 \| 12/2021 \| 09/2022 \| +\| 10.5.3 \| 10/2021 \| 07/2022 \| +\| 10.5.2 \| 10/2021 \| 07/2022 \| \| 10.0 \| 01/2021 \| 10/2021 \| \| 10.3 \| 04/2021 \| 01/2022 \| -\| 10.5.2 \| 10/2021 \| 07/2022 \| -\| 10.5.3 \| 10/2021 \| 07/2022 \| -\| 10.5.4 \| 12/2021 \| 09/2022 \| ## February 2022 +- [New sensor installation wizard](#new-sensor-installation-wizard) - [Sensor redesign and unified Microsoft product experience](#sensor-redesign-and-unified-microsoft-product-experience) - [Enhanced sensor Overview page](#enhanced-sensor-overview-page) - [New support diagnostics log](#new-support-diagnostics-log) - [Alert updates](#alert-updates)-- [New sensor installation wizard](#new-sensor-installation-wizard)-- [Containerized sensor installation](#containerized-sensor-installation)-- [Upgrade to version 22.1](#upgrade-to-version-221) +- [CLI command updates](#cli-command-updates) +- [Update to version 22.1.x](#update-to-version-221x) - [New connectivity model and firewall requirements](#new-connectivity-model-and-firewall-requirements) - [Protocol improvements](#protocol-improvements) - [Modified, replaced, or removed options and configurations](#modified-replaced-or-removed-options-and-configurations) +### New sensor installation wizard + +Previously, you needed to use separate dialogs to upload a sensor activation file, verify your sensor network configuration, and configure your SSL/TLS certificates. + +Now, when installing a new sensor or a new sensor version, our installation wizard provides a streamlined interface to do all these tasks from a single location. + +For more information, see [Defender for IoT installation](how-to-install-software.md). + ### Sensor redesign and unified Microsoft product experience The Defender for IoT sensor console has been redesigned to create a unified Microsoft Azure experience and enhance and simplify workflows. The sensor console's Custom alert rules page now provides: :::image type="content" source="media/how-to-manage-sensors-on-the-cloud/protocol-support-custom-alerts.png" alt-text="Screenshot of the updated Custom alerts dialog. "lightbox="media/how-to-manage-sensors-on-the-cloud/protocol-support-custom-alerts.png"::: -### New sensor installation wizard - -Previously, you needed to use separate dialogs to upload a sensor activation file, verify your sensor network configuration, and configure your SSL/TLS certificates. - -Now, when installing a new sensor or a new sensor version, our installation wizard provides a streamlined interface to do all these tasks from a single location. - -For more information, see [Defender for IoT installation](how-to-install-software.md). - -### Containerized sensor installation +### CLI command updates The Defender for Iot sensor software installation is now containerized. With the now-containerized sensor, you can use the cyberx_host user to investigate issues with other containers or the operating system, or to send files via FTP. As part of the containerized sensor, the following CLI commands have been modifi \|`cyberx-xsense-reload-interfaces` \| `sudo dpkg-reconfigure iot-sensor` \| \|`cyberx-xsense-reconfigure-hostname` \| `sudo dpkg-reconfigure iot-sensor` \| \| `cyberx-xsense-system-remount-disks` \|`sudo dpkg-reconfigure iot-sensor` \| -\| \| \| + The `sudo cyberx-xsense-limit-interface-I eth0 -l value` CLI command was removed. This command was used to limit the interface bandwidth that the sensor uses for day-to-day procedures, and is no longer supported. For more information, see [Defender for IoT installation](how-to-install-software.md) and [Work with Defender for IoT CLI commands](references-work-with-defender-for-iot-cli-commands.md). -### Upgrade to version 22.1 +### Update to version 22.1.x -Upgrade your sensor versions directly to 22.1. Make sure that you've downloaded and upgraded your sensor machine, and then reactivated your sensor from the Azure portal using the new activation file. +To use all of Defender for IoT's latest features, make sure to update your sensor software versions to 22.1.x. -For more information, see: --- [Update a standalone sensor version](how-to-manage-individual-sensors.md#update-a-standalone-sensor-version)-- [Reactivate a sensor for upgrades to version 22.x from a legacy version](how-to-manage-sensors-on-the-cloud.md#reactivate-a-sensor-for-upgrades-to-version-22x-from-a-legacy-version) +If you're on a legacy version, you may need to run a series of updates in order to get to the latest version. You'll also need to update your firewall rules and re-activate your sensor with a new activation file. After you've upgraded to version 22.1.x, the new upgrade log can be found at the following path, accessed via SSH and the cyberx_host user: `/opt/sensor/logs/legacy-upgrade.log`. +For more information, see [Update a standalone sensor version](how-to-manage-individual-sensors.md#update-a-standalone-sensor-version). + +> [!NOTE] +> Upgrading to version 22.1.x is a large update, and you should expect the update process to require more time than previous updates. +> + ### New connectivity model and firewall requirements With this version, users are only required to install sensors and connect to Defender for IoT on the Azure portal. Defender for IoT no longer requires you to install, pay for, or manage an IoT Hub. In sensor and on-premises management console Alerts, the term Manage this Event ## Next steps -[Getting started with Defender for IoT](getting-started.md) +[Getting started with Defender for IoT](getting-started.md)
event-grid	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Event Grid description: Lists Azure Policy Regulatory Compliance controls available for Azure Event Grid. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
event-hubs	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Event Hubs description: Lists Azure Policy Regulatory Compliance controls available for Azure Event Hubs. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
governance	Australia Ism	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/australia-ism.md	Title: Regulatory Compliance details for Australian Government ISM PROTECTED description: Details of the Australian Government ISM PROTECTED Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but don't have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) \| +\|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) \| \|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but don't have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) \| \|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) \|Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. \|auditIfNotExists \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) \| \|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) \|This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|deployIfNotExists \|[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) \| initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they're running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| +\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| \|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) \|Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) \| \|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) \|Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) \| -\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which don't satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| +\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| \|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) \|Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) \| \|[Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9) \|Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) \| \|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) \|Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) \| -\|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers, which don't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| +\|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| ### When to patch security vulnerabilities - 1144 initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they're running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| +\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| \|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) \|Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) \| \|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) \|Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) \| -\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers, which don't satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| +\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| \|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) \|Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) \| \|[Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9) \|Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) \| -\|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) \|Audit each SQL Managed Instance, which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) \| -\|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers, which don't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| +\|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) \|Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) \| +\|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| ### When to patch security vulnerabilities - 1472 initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they're running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| +\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| \|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) \|Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) \| \|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) \|Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) \| -\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers, which don't satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| +\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| \|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) \|Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) \| \|[Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9) \|Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) \| -\|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) \|Audit each SQL Managed Instance, which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) \| -\|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers, which don't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| +\|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) \|Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) \| +\|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| ### When to patch security vulnerabilities - 1494 initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they're running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| +\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| \|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) \|Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) \| \|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) \|Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) \| -\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which don't satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| +\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| \|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) \|Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) \| \|[Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9) \|Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) \| \|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) \|Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) \| -\|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers, which don't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| +\|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| ### When to patch security vulnerabilities - 1495 initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they're running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| +\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| \|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) \|Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) \| \|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) \|Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) \| -\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which don't satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| +\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| \|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) \|Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) \| \|[Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9) \|Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) \| \|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) \|Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) \| -\|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers, which don't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| +\|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| ### When to patch security vulnerabilities - 1496 initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they're running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| +\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| \|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) \|Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) \| \|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) \|Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) \| -\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which don't satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| +\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| \|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) \|Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) \| \|[Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9) \|Ensure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_VulnerabilityAssessmentEmails_Audit.json) \| \|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) \|Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) \| -\|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers, which don't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| +\|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) \|Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) \| ## Guidelines for System Management - Data backup and restoration initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[Audit virtual machines without disaster recovery configured](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56) \|Audit virtual machines which don't have disaster recovery configured. To learn more about disaster recovery, visit [https://aka.ms/asr-doc](../../../site-recovery/index.yml). \|auditIfNotExists \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json) \| +\|[Audit virtual machines without disaster recovery configured](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56) \|Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit [https://aka.ms/asr-doc](../../../site-recovery/index.yml). \|auditIfNotExists \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/RecoveryServices_DisasterRecovery_Audit.json) \| ## Guidelines for System Monitoring - Event logging and auditing initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but don't have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) \| -\|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but don't have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) \| +\|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) \| +\|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) \| \|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) \|This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|deployIfNotExists \|[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) \| \|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) \|Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) \| \|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) \|Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking \|Audit, Deny, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) \| initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but don't have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) \| -\|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but don't have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) \| +\|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) \| +\|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) \| \|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) \|This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|deployIfNotExists \|[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) \| \|[Latest TLS version should be used in your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e) \|Upgrade to the latest TLS version \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_ApiApp_Audit.json) \| \|[Latest TLS version should be used in your Function App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) \|Upgrade to the latest TLS version \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) \|
governance	Azure Security Benchmark	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/azure-security-benchmark.md	Title: Regulatory Compliance details for Azure Security Benchmark description: Details of the Azure Security Benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| -\|[\[Preview\]: Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) \|Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-introduction](/azure/security-center/defender-for-kubernetes-introduction) \|Audit, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Audit.json) \| +\|[\[Preview\]: Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) \|Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks](../../../defender-for-cloud/defender-for-containers-introduction.md?tabs=defender-for-container-arch-aks) \|Audit, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Audit.json) \| \|[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) \|Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. \|AuditIfNotExists, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) \| \|[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) \|Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. \|AuditIfNotExists, Disabled \|[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) \| \|[Azure Defender for DNS should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbdc59948-5574-49b3-bb91-76b7c986428d) \|Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at [https://aka.ms/defender-for-dns](../../../defender-for-cloud/defender-for-dns-introduction.md) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnDns_Audit.json) \| initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| -\|[\[Preview\]: Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) \|Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-introduction](/azure/security-center/defender-for-kubernetes-introduction) \|Audit, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Audit.json) \| +\|[\[Preview\]: Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) \|Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks](../../../defender-for-cloud/defender-for-containers-introduction.md?tabs=defender-for-container-arch-aks) \|Audit, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Audit.json) \| \|[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) \|Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. \|AuditIfNotExists, Disabled \|[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) \| \|[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) \|Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. \|AuditIfNotExists, Disabled \|[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) \| \|[Azure Defender for DNS should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbdc59948-5574-49b3-bb91-76b7c986428d) \|Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at [https://aka.ms/defender-for-dns](../../../defender-for-cloud/defender-for-dns-introduction.md) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnDns_Audit.json) \| initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[Endpoint protection health issues should be resolved on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2) \|Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - [https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions](/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions). Endpoint protection assessment is documented here - [https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection](/azure/security-center/security-center-endpoint-protection). \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionHealthIssuesShouldBeResolvedOnYourMachines_Audit.json) \| +\|[Endpoint protection health issues should be resolved on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2) \|Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - [Endpoint protection assessment and recommendations in Microsoft Defender for Cloud](../../../defender-for-cloud/endpoint-protection-recommendations-technical.md). Endpoint protection assessment is documented here - [Endpoint protection assessment and recommendations in Microsoft Defender for Cloud](/azure/defender-for-cloud/endpoint-protection-recommendations-technical). \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionHealthIssuesShouldBeResolvedOnYourMachines_Audit.json) \| \|[Endpoint protection should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f7c564c-0a90-4d44-b7e1-9d456cffaee8) \|To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionShouldBeInstalledOnYourMachines_Audit.json) \| \|[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) \|Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) \| \|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) \|Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) \| initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[Endpoint protection health issues should be resolved on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2) \|Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - [https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions](/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions). Endpoint protection assessment is documented here - [https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection](/azure/security-center/security-center-endpoint-protection). \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionHealthIssuesShouldBeResolvedOnYourMachines_Audit.json) \| +\|[Endpoint protection health issues should be resolved on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2) \|Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - [Endpoint protection assessment and recommendations in Microsoft Defender for Cloud](../../../defender-for-cloud/endpoint-protection-recommendations-technical.md). Endpoint protection assessment is documented here - [Endpoint protection assessment and recommendations in Microsoft Defender for Cloud](/azure/defender-for-cloud/endpoint-protection-recommendations-technical). \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionHealthIssuesShouldBeResolvedOnYourMachines_Audit.json) \| ## Backup and Recovery
governance	Azure Security Benchmarkv1	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/azure-security-benchmarkv1.md	Title: Regulatory Compliance details for Azure Security Benchmark v1 description: Details of the Azure Security Benchmark v1 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022
governance	Canada Federal Pbmm	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/canada-federal-pbmm.md	Title: Regulatory Compliance details for Canada Federal PBMM description: Details of the Canada Federal PBMM Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022
governance	Cis Azure 1 1 0	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-1-0.md	Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.1.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022
governance	Cis Azure 1 3 0	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cis-azure-1-3-0.md	Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.3.0 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022
governance	Cmmc L3	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/cmmc-l3.md	Title: Regulatory Compliance details for CMMC Level 3 description: Details of the CMMC Level 3 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022
governance	Fedramp High	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/fedramp-high.md	Title: Regulatory Compliance details for FedRAMP High description: Details of the FedRAMP High Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 initiative definition. ### Account Management ID: FedRAMP High AC-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Automated System Account Management ID: FedRAMP High AC-2 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Role-based Schemes ID: FedRAMP High AC-2 (7) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Account Monitoring / Atypical Usage ID: FedRAMP High AC-2 (12) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Access Enforcement ID: FedRAMP High AC-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information Flow Enforcement ID: FedRAMP High AC-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Separation of Duties ID: FedRAMP High AC-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Least Privilege ID: FedRAMP High AC-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Review of User Privileges ID: FedRAMP High AC-6 (7) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Remote Access ID: FedRAMP High AC-17 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Automated Monitoring / Control ID: FedRAMP High AC-17 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Review, Analysis, and Reporting ID: FedRAMP High AU-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Central Review and Analysis ID: FedRAMP High AU-6 (4) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Linux Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F842c54e8-c2f9-4d79-ae8d-38d8b8019373) \|This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Windows Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e) \|This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Integration / Scanning and Monitoring Capabilities ID: FedRAMP High AU-6 (5) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Linux Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F842c54e8-c2f9-4d79-ae8d-38d8b8019373) \|This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Windows Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e) \|This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Audit Record Retention ID: FedRAMP High AU-11 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Generation ID: FedRAMP High AU-12 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Linux Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F842c54e8-c2f9-4d79-ae8d-38d8b8019373) \|This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Windows Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e) \|This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### System-wide / Time-correlated Audit Trail ID: FedRAMP High AU-12 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Linux Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F842c54e8-c2f9-4d79-ae8d-38d8b8019373) \|This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Windows Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e) \|This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Configuration Settings ID: FedRAMP High CM-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Least Functionality ID: FedRAMP High CM-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Prevent Program Execution ID: FedRAMP High CM-7 (2) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Authorized Software / Whitelisting ID: FedRAMP High CM-7 (5) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Software Usage Restrictions ID: FedRAMP High CM-10 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### User-installed Software ID: FedRAMP High CM-11 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Alternate Storage Site ID: FedRAMP High CP-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Separation from Primary Site ID: FedRAMP High CP-6 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Alternate Processing Site ID: FedRAMP High CP-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information System Backup ID: FedRAMP High CP-9 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Identification and Authentication (organizational Users) ID: FedRAMP High IA-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Network Access to Privileged Accounts ID: FedRAMP High IA-2 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Network Access to Non-privileged Accounts ID: FedRAMP High IA-2 (2) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Identifier Management ID: FedRAMP High IA-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Authenticator Management ID: FedRAMP High IA-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Password-based Authentication ID: FedRAMP High IA-5 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Incident Handling ID: FedRAMP High IR-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Incident Monitoring ID: FedRAMP High IR-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Vulnerability Scanning ID: FedRAMP High RA-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Security Function Isolation ID: FedRAMP High SC-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Denial of Service Protection ID: FedRAMP High SC-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Boundary Protection ID: FedRAMP High SC-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Access Points ID: FedRAMP High SC-7 (3) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Transmission Confidentiality and Integrity ID: FedRAMP High SC-8 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic or Alternate Physical Protection ID: FedRAMP High SC-8 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Key Establishment and Management ID: FedRAMP High SC-12 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Protection of Information at Rest ID: FedRAMP High SC-28 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Protection ID: FedRAMP High SC-28 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Flaw Remediation ID: FedRAMP High SI-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Malicious Code Protection ID: FedRAMP High SI-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Central Management ID: FedRAMP High SI-3 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information System Monitoring ID: FedRAMP High SI-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Memory Protection ID: FedRAMP High SI-16 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\|
governance	Fedramp Moderate	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/fedramp-moderate.md	Title: Regulatory Compliance details for FedRAMP Moderate description: Details of the FedRAMP Moderate Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 initiative definition. ### Account Management ID: FedRAMP Moderate AC-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Automated System Account Management ID: FedRAMP Moderate AC-2 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Role-based Schemes ID: FedRAMP Moderate AC-2 (7) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Account Monitoring / Atypical Usage ID: FedRAMP Moderate AC-2 (12) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Access Enforcement ID: FedRAMP Moderate AC-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information Flow Enforcement ID: FedRAMP Moderate AC-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Separation of Duties ID: FedRAMP Moderate AC-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Least Privilege ID: FedRAMP Moderate AC-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Remote Access ID: FedRAMP Moderate AC-17 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Automated Monitoring / Control ID: FedRAMP Moderate AC-17 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Review, Analysis, and Reporting ID: FedRAMP Moderate AU-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Record Retention ID: FedRAMP Moderate AU-11 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Generation ID: FedRAMP Moderate AU-12 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Linux Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F842c54e8-c2f9-4d79-ae8d-38d8b8019373) \|This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Windows Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e) \|This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Configuration Settings ID: FedRAMP Moderate CM-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Least Functionality ID: FedRAMP Moderate CM-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Prevent Program Execution ID: FedRAMP Moderate CM-7 (2) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Authorized Software / Whitelisting ID: FedRAMP Moderate CM-7 (5) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Software Usage Restrictions ID: FedRAMP Moderate CM-10 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### User-installed Software ID: FedRAMP Moderate CM-11 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Alternate Storage Site ID: FedRAMP Moderate CP-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Separation from Primary Site ID: FedRAMP Moderate CP-6 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Alternate Processing Site ID: FedRAMP Moderate CP-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information System Backup ID: FedRAMP Moderate CP-9 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Identification and Authentication (organizational Users) ID: FedRAMP Moderate IA-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Network Access to Privileged Accounts ID: FedRAMP Moderate IA-2 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Network Access to Non-privileged Accounts ID: FedRAMP Moderate IA-2 (2) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Identifier Management ID: FedRAMP Moderate IA-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Authenticator Management ID: FedRAMP Moderate IA-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Password-based Authentication ID: FedRAMP Moderate IA-5 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Incident Handling ID: FedRAMP Moderate IR-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Incident Monitoring ID: FedRAMP Moderate IR-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Vulnerability Scanning ID: FedRAMP Moderate RA-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Denial of Service Protection ID: FedRAMP Moderate SC-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Boundary Protection ID: FedRAMP Moderate SC-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Access Points ID: FedRAMP Moderate SC-7 (3) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Transmission Confidentiality and Integrity ID: FedRAMP Moderate SC-8 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic or Alternate Physical Protection ID: FedRAMP Moderate SC-8 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Key Establishment and Management ID: FedRAMP Moderate SC-12 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Protection of Information at Rest ID: FedRAMP Moderate SC-28 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Protection ID: FedRAMP Moderate SC-28 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Flaw Remediation ID: FedRAMP Moderate SI-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Malicious Code Protection ID: FedRAMP Moderate SI-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Central Management ID: FedRAMP Moderate SI-3 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information System Monitoring ID: FedRAMP Moderate SI-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Memory Protection ID: FedRAMP Moderate SI-16 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\|
governance	Gov Azure Security Benchmark	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-azure-security-benchmark.md	Title: Regulatory Compliance details for Azure Security Benchmark (Azure Government) description: Details of the Azure Security Benchmark (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022
governance	Gov Cis Azure 1 1 0	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cis-azure-1-1-0.md	Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government) description: Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022
governance	Gov Cis Azure 1 3 0	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cis-azure-1-3-0.md	Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.3.0 (Azure Government) description: Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022
governance	Gov Cmmc L3	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-cmmc-l3.md	Title: Regulatory Compliance details for CMMC Level 3 (Azure Government) description: Details of the CMMC Level 3 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 This built-in initiative is deployed as part of the \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Log Analytics Extension should be enabled for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32133ab0-ee4b-4b44-98d6-042180979d50) \|Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json) \| \|[Audit diagnostic setting](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) \|Audit diagnostic setting for selected resource types \|AuditIfNotExists \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) \| \|[Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[The Log Analytics extension should be installed on Virtual Machine Scale Sets](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fefbde977-ba53-4479-b8e9-10b957924fbf) \|This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json) \| \|[Virtual machines should be connected to a specified workspace](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff47b5582-33ec-4c5c-87c0-b010a6b2e917) \|Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. \|AuditIfNotExists, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json) \| \|[Virtual machines should have the Log Analytics extension installed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa70ca396-0a34-413a-88e1-b956c1e683be) \|This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json) \|
governance	Gov Fedramp High	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-fedramp-high.md	Title: Regulatory Compliance details for FedRAMP High (Azure Government) description: Details of the FedRAMP High (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 initiative definition. ### Account Management ID: FedRAMP High AC-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Automated System Account Management ID: FedRAMP High AC-2 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Role-based Schemes ID: FedRAMP High AC-2 (7) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Account Monitoring / Atypical Usage ID: FedRAMP High AC-2 (12) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Access Enforcement ID: FedRAMP High AC-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information Flow Enforcement ID: FedRAMP High AC-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Separation of Duties ID: FedRAMP High AC-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Least Privilege ID: FedRAMP High AC-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Review of User Privileges ID: FedRAMP High AC-6 (7) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Remote Access ID: FedRAMP High AC-17 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Automated Monitoring / Control ID: FedRAMP High AC-17 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Review, Analysis, and Reporting ID: FedRAMP High AU-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Central Review and Analysis ID: FedRAMP High AU-6 (4) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Linux virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04c4380f-3fae-46e8-96c9-30193528f602) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Windows virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f2ee1de-44aa-4762-b6bd-0893fc3f306d) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Integration / Scanning and Monitoring Capabilities ID: FedRAMP High AU-6 (5) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Linux virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04c4380f-3fae-46e8-96c9-30193528f602) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Windows virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f2ee1de-44aa-4762-b6bd-0893fc3f306d) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Audit Record Retention ID: FedRAMP High AU-11 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Generation ID: FedRAMP High AU-12 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Linux virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04c4380f-3fae-46e8-96c9-30193528f602) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Windows virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f2ee1de-44aa-4762-b6bd-0893fc3f306d) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### System-wide / Time-correlated Audit Trail ID: FedRAMP High AU-12 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Linux virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04c4380f-3fae-46e8-96c9-30193528f602) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Windows virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f2ee1de-44aa-4762-b6bd-0893fc3f306d) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Configuration Settings ID: FedRAMP High CM-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Least Functionality ID: FedRAMP High CM-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Prevent Program Execution ID: FedRAMP High CM-7 (2) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Authorized Software / Whitelisting ID: FedRAMP High CM-7 (5) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Software Usage Restrictions ID: FedRAMP High CM-10 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### User-installed Software ID: FedRAMP High CM-11 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Alternate Storage Site ID: FedRAMP High CP-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Separation from Primary Site ID: FedRAMP High CP-6 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Alternate Processing Site ID: FedRAMP High CP-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information System Backup ID: FedRAMP High CP-9 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Identification and Authentication (organizational Users) ID: FedRAMP High IA-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Network Access to Privileged Accounts ID: FedRAMP High IA-2 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Network Access to Non-privileged Accounts ID: FedRAMP High IA-2 (2) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Identifier Management ID: FedRAMP High IA-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Authenticator Management ID: FedRAMP High IA-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Password-based Authentication ID: FedRAMP High IA-5 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Incident Handling ID: FedRAMP High IR-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Incident Monitoring ID: FedRAMP High IR-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Vulnerability Scanning ID: FedRAMP High RA-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Security Function Isolation ID: FedRAMP High SC-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Denial of Service Protection ID: FedRAMP High SC-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Boundary Protection ID: FedRAMP High SC-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Access Points ID: FedRAMP High SC-7 (3) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Transmission Confidentiality and Integrity ID: FedRAMP High SC-8 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic or Alternate Physical Protection ID: FedRAMP High SC-8 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Key Establishment and Management ID: FedRAMP High SC-12 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Protection of Information at Rest ID: FedRAMP High SC-28 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Protection ID: FedRAMP High SC-28 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Flaw Remediation ID: FedRAMP High SI-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Malicious Code Protection ID: FedRAMP High SI-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Central Management ID: FedRAMP High SI-3 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information System Monitoring ID: FedRAMP High SI-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Memory Protection ID: FedRAMP High SI-16 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\|
governance	Gov Fedramp Moderate	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-fedramp-moderate.md	Title: Regulatory Compliance details for FedRAMP Moderate (Azure Government) description: Details of the FedRAMP Moderate (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 initiative definition. ### Account Management ID: FedRAMP Moderate AC-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Automated System Account Management ID: FedRAMP Moderate AC-2 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Role-based Schemes ID: FedRAMP Moderate AC-2 (7) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Account Monitoring / Atypical Usage ID: FedRAMP Moderate AC-2 (12) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Access Enforcement ID: FedRAMP Moderate AC-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information Flow Enforcement ID: FedRAMP Moderate AC-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Separation of Duties ID: FedRAMP Moderate AC-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Least Privilege ID: FedRAMP Moderate AC-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Remote Access ID: FedRAMP Moderate AC-17 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Automated Monitoring / Control ID: FedRAMP Moderate AC-17 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Review, Analysis, and Reporting ID: FedRAMP Moderate AU-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Record Retention ID: FedRAMP Moderate AU-11 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Generation ID: FedRAMP Moderate AU-12 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Linux virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04c4380f-3fae-46e8-96c9-30193528f602) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Windows virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f2ee1de-44aa-4762-b6bd-0893fc3f306d) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Configuration Settings ID: FedRAMP Moderate CM-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Least Functionality ID: FedRAMP Moderate CM-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Prevent Program Execution ID: FedRAMP Moderate CM-7 (2) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Authorized Software / Whitelisting ID: FedRAMP Moderate CM-7 (5) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Software Usage Restrictions ID: FedRAMP Moderate CM-10 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### User-installed Software ID: FedRAMP Moderate CM-11 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Alternate Storage Site ID: FedRAMP Moderate CP-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Separation from Primary Site ID: FedRAMP Moderate CP-6 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Alternate Processing Site ID: FedRAMP Moderate CP-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information System Backup ID: FedRAMP Moderate CP-9 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Identification and Authentication (organizational Users) ID: FedRAMP Moderate IA-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Network Access to Privileged Accounts ID: FedRAMP Moderate IA-2 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Network Access to Non-privileged Accounts ID: FedRAMP Moderate IA-2 (2) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Identifier Management ID: FedRAMP Moderate IA-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Authenticator Management ID: FedRAMP Moderate IA-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Password-based Authentication ID: FedRAMP Moderate IA-5 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Incident Handling ID: FedRAMP Moderate IR-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Incident Monitoring ID: FedRAMP Moderate IR-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Vulnerability Scanning ID: FedRAMP Moderate RA-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Denial of Service Protection ID: FedRAMP Moderate SC-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Boundary Protection ID: FedRAMP Moderate SC-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Access Points ID: FedRAMP Moderate SC-7 (3) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Transmission Confidentiality and Integrity ID: FedRAMP Moderate SC-8 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic or Alternate Physical Protection ID: FedRAMP Moderate SC-8 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Key Establishment and Management ID: FedRAMP Moderate SC-12 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Protection of Information at Rest ID: FedRAMP Moderate SC-28 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Protection ID: FedRAMP Moderate SC-28 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Flaw Remediation ID: FedRAMP Moderate SI-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Malicious Code Protection ID: FedRAMP Moderate SI-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Central Management ID: FedRAMP Moderate SI-3 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information System Monitoring ID: FedRAMP Moderate SI-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Memory Protection ID: FedRAMP Moderate SI-16 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\|
governance	Gov Irs 1075 Sept2016	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-irs-1075-sept2016.md	Title: Regulatory Compliance details for IRS 1075 September 2016 (Azure Government) description: Details of the IRS 1075 September 2016 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022
governance	Gov Iso 27001	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-iso-27001.md	Title: Regulatory Compliance details for ISO 27001:2013 (Azure Government) description: Details of the ISO 27001:2013 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 This built-in initiative is deployed as part of the \|[Secure transfer to storage accounts should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) \|Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking \|Audit, Deny, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) \| \|[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) \|Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) \| \|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) \|Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) \| -\|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) \|Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) \| \|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) \|By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) \|AuditIfNotExists, Disabled \|[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) \| \|[Web Application should only be accessible over HTTPS](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) \|Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) \| This built-in initiative is deployed as part of the \|[\[Preview\]: Log Analytics Extension should be enabled for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32133ab0-ee4b-4b44-98d6-042180979d50) \|Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json) \| \|[Audit diagnostic setting](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) \|Audit diagnostic setting for selected resource types \|AuditIfNotExists \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) \| \|[Auditing on SQL server should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| -\|[Auditing on SQL server should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| \|[Dependency agent should be enabled for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F11ac78e3-31bc-4f0c-8434-37ab963cea07) \|Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json) \| \|[Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2dd799a-a932-4e9d-ac17-d473bc3c6c10) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_VMSS_Audit.json) \| \|[Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) \| This built-in initiative is deployed as part of the \|[\[Preview\]: Log Analytics Extension should be enabled for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32133ab0-ee4b-4b44-98d6-042180979d50) \|Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json) \| \|[Audit diagnostic setting](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) \|Audit diagnostic setting for selected resource types \|AuditIfNotExists \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) \| \|[Auditing on SQL server should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| -\|[Auditing on SQL server should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| \|[Dependency agent should be enabled for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F11ac78e3-31bc-4f0c-8434-37ab963cea07) \|Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json) \| \|[Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2dd799a-a932-4e9d-ac17-d473bc3c6c10) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_VMSS_Audit.json) \| \|[Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) \| This built-in initiative is deployed as part of the \|[\[Preview\]: Log Analytics Extension should be enabled for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32133ab0-ee4b-4b44-98d6-042180979d50) \|Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json) \| \|[Audit diagnostic setting](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) \|Audit diagnostic setting for selected resource types \|AuditIfNotExists \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) \| \|[Auditing on SQL server should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| -\|[Auditing on SQL server should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| \|[Dependency agent should be enabled for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F11ac78e3-31bc-4f0c-8434-37ab963cea07) \|Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json) \| \|[Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2dd799a-a932-4e9d-ac17-d473bc3c6c10) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_VMSS_Audit.json) \| \|[Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) \|
governance	Gov Nist Sp 800 53 R5	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/gov-nist-sp-800-53-r5.md	Title: Regulatory Compliance details for NIST SP 800-53 Rev. 5 (Azure Government) description: Details of the NIST SP 800-53 Rev. 5 (Azure Government) Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 initiative definition. ### Account Management ID: NIST SP 800-53 Rev. 5 AC-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Automated System Account Management ID: NIST SP 800-53 Rev. 5 AC-2 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Privileged User Accounts ID: NIST SP 800-53 Rev. 5 AC-2 (7) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Account Monitoring for Atypical Usage ID: NIST SP 800-53 Rev. 5 AC-2 (12) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Access Enforcement ID: NIST SP 800-53 Rev. 5 AC-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information Flow Enforcement ID: NIST SP 800-53 Rev. 5 AC-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Separation of Duties ID: NIST SP 800-53 Rev. 5 AC-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Least Privilege ID: NIST SP 800-53 Rev. 5 AC-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Review of User Privileges ID: NIST SP 800-53 Rev. 5 AC-6 (7) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Remote Access ID: NIST SP 800-53 Rev. 5 AC-17 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Monitoring and Control ID: NIST SP 800-53 Rev. 5 AC-17 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Record Review, Analysis, and Reporting ID: NIST SP 800-53 Rev. 5 AU-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Central Review and Analysis ID: NIST SP 800-53 Rev. 5 AU-6 (4) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Linux virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04c4380f-3fae-46e8-96c9-30193528f602) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Windows virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f2ee1de-44aa-4762-b6bd-0893fc3f306d) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Integrated Analysis of Audit Records ID: NIST SP 800-53 Rev. 5 AU-6 (5) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Linux virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04c4380f-3fae-46e8-96c9-30193528f602) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Windows virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f2ee1de-44aa-4762-b6bd-0893fc3f306d) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Audit Record Retention ID: NIST SP 800-53 Rev. 5 AU-11 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Record Generation ID: NIST SP 800-53 Rev. 5 AU-12 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Linux virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04c4380f-3fae-46e8-96c9-30193528f602) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Windows virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f2ee1de-44aa-4762-b6bd-0893fc3f306d) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### System-wide and Time-correlated Audit Trail ID: NIST SP 800-53 Rev. 5 AU-12 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Linux virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04c4380f-3fae-46e8-96c9-30193528f602) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json) \| \|[\[Preview\]: Network traffic data collection agent should be installed on Windows virtual machines](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f2ee1de-44aa-4762-b6bd-0893fc3f306d) \|Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. \|AuditIfNotExists, Disabled \|[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Government/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Configuration Settings ID: NIST SP 800-53 Rev. 5 CM-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Least Functionality ID: NIST SP 800-53 Rev. 5 CM-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Prevent Program Execution ID: NIST SP 800-53 Rev. 5 CM-7 (2) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Authorized Software ??? Allow-by-exception ID: NIST SP 800-53 Rev. 5 CM-7 (5) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Software Usage Restrictions ID: NIST SP 800-53 Rev. 5 CM-10 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### User-installed Software ID: NIST SP 800-53 Rev. 5 CM-11 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Alternate Storage Site ID: NIST SP 800-53 Rev. 5 CP-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Separation from Primary Site ID: NIST SP 800-53 Rev. 5 CP-6 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Alternate Processing Site ID: NIST SP 800-53 Rev. 5 CP-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### System Backup ID: NIST SP 800-53 Rev. 5 CP-9 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Identification and Authentication (organizational Users) ID: NIST SP 800-53 Rev. 5 IA-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Multi-factor Authentication to Privileged Accounts ID: NIST SP 800-53 Rev. 5 IA-2 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Multi-factor Authentication to Non-privileged Accounts ID: NIST SP 800-53 Rev. 5 IA-2 (2) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Identifier Management ID: NIST SP 800-53 Rev. 5 IA-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Authenticator Management ID: NIST SP 800-53 Rev. 5 IA-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Password-based Authentication ID: NIST SP 800-53 Rev. 5 IA-5 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Incident Handling ID: NIST SP 800-53 Rev. 5 IR-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Incident Monitoring ID: NIST SP 800-53 Rev. 5 IR-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Vulnerability Monitoring and Scanning ID: NIST SP 800-53 Rev. 5 RA-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Security Function Isolation ID: NIST SP 800-53 Rev. 5 SC-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Denial-of-service Protection ID: NIST SP 800-53 Rev. 5 SC-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Boundary Protection ID: NIST SP 800-53 Rev. 5 SC-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Access Points ID: NIST SP 800-53 Rev. 5 SC-7 (3) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Transmission Confidentiality and Integrity ID: NIST SP 800-53 Rev. 5 SC-8 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Protection ID: NIST SP 800-53 Rev. 5 SC-8 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Key Establishment and Management ID: NIST SP 800-53 Rev. 5 SC-12 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Protection of Information at Rest ID: NIST SP 800-53 Rev. 5 SC-28 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Protection ID: NIST SP 800-53 Rev. 5 SC-28 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Flaw Remediation ID: NIST SP 800-53 Rev. 5 SI-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Malicious Code Protection ID: NIST SP 800-53 Rev. 5 SI-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### System Monitoring ID: NIST SP 800-53 Rev. 5 SI-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Memory Protection ID: NIST SP 800-53 Rev. 5 SI-16 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\|
governance	Hipaa Hitrust 9 2	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/hipaa-hitrust-9-2.md	Title: Regulatory Compliance details for HIPAA HITRUST 9.2 description: Details of the HIPAA HITRUST 9.2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 This built-in initiative is deployed as part of the \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[Audit Windows machines that do not contain the specified certificates in Trusted Root](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F934345e1-4dfb-4c70-90d7-41990dc9608b) \|Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. \|auditIfNotExists \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsCertificateInTrustedRoot_AINE.json) \| +\|[Audit Windows machines that do not contain the specified certificates in Trusted Root](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F934345e1-4dfb-4c70-90d7-41990dc9608b) \|Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. \|auditIfNotExists \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsCertificateInTrustedRoot_AINE.json) \| ### The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction.
governance	Iso 27001	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/iso-27001.md	Title: Regulatory Compliance details for ISO 27001:2013 description: Details of the ISO 27001:2013 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 This built-in initiative is deployed as part of the \|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) \|Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking \|Audit, Deny, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) \| \|[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) \|Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) \| \|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) \|Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) \| -\|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) \|Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) \| \|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) \|By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) \|AuditIfNotExists, Disabled \|[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) \| \|[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) \|Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) \| This built-in initiative is deployed as part of the \|[\[Preview\]: Log Analytics Extension should be enabled for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32133ab0-ee4b-4b44-98d6-042180979d50) \|Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json) \| \|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) \|Audit diagnostic setting for selected resource types \|AuditIfNotExists \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) \| \|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| -\|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| \|[Dependency agent should be enabled for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F11ac78e3-31bc-4f0c-8434-37ab963cea07) \|Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json) \| \|[Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2dd799a-a932-4e9d-ac17-d473bc3c6c10) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_VMSS_Audit.json) \| \|[Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) \| This built-in initiative is deployed as part of the \|[\[Preview\]: Log Analytics Extension should be enabled for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32133ab0-ee4b-4b44-98d6-042180979d50) \|Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json) \| \|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) \|Audit diagnostic setting for selected resource types \|AuditIfNotExists \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) \| \|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| -\|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| \|[Dependency agent should be enabled for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F11ac78e3-31bc-4f0c-8434-37ab963cea07) \|Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json) \| \|[Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2dd799a-a932-4e9d-ac17-d473bc3c6c10) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_VMSS_Audit.json) \| \|[Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) \| This built-in initiative is deployed as part of the \|[\[Preview\]: Log Analytics Extension should be enabled for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32133ab0-ee4b-4b44-98d6-042180979d50) \|Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json) \| \|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) \|Audit diagnostic setting for selected resource types \|AuditIfNotExists \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) \| \|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| -\|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| \|[Dependency agent should be enabled for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F11ac78e3-31bc-4f0c-8434-37ab963cea07) \|Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json) \| \|[Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2dd799a-a932-4e9d-ac17-d473bc3c6c10) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_VMSS_Audit.json) \| \|[Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) \|
governance	New Zealand Ism	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/new-zealand-ism.md	Title: Regulatory Compliance details for New Zealand ISM Restricted description: Details of the New Zealand ISM Restricted Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 This built-in initiative is deployed as part of the \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[Audit usage of custom RBAC rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) \|Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) \| \|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| \|[Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) \|Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. \|AuditIfNotExists, Disabled \|[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \|
governance	Nist Sp 800 53 R5	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/nist-sp-800-53-r5.md	Title: Regulatory Compliance details for NIST SP 800-53 Rev. 5 description: Details of the NIST SP 800-53 Rev. 5 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 initiative definition. ### Account Management ID: NIST SP 800-53 Rev. 5 AC-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Automated System Account Management ID: NIST SP 800-53 Rev. 5 AC-2 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Privileged User Accounts ID: NIST SP 800-53 Rev. 5 AC-2 (7) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Account Monitoring for Atypical Usage ID: NIST SP 800-53 Rev. 5 AC-2 (12) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Access Enforcement ID: NIST SP 800-53 Rev. 5 AC-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Information Flow Enforcement ID: NIST SP 800-53 Rev. 5 AC-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Separation of Duties ID: NIST SP 800-53 Rev. 5 AC-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Least Privilege ID: NIST SP 800-53 Rev. 5 AC-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Review of User Privileges ID: NIST SP 800-53 Rev. 5 AC-6 (7) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Remote Access ID: NIST SP 800-53 Rev. 5 AC-17 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Monitoring and Control ID: NIST SP 800-53 Rev. 5 AC-17 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Record Review, Analysis, and Reporting ID: NIST SP 800-53 Rev. 5 AU-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Central Review and Analysis ID: NIST SP 800-53 Rev. 5 AU-6 (4) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Linux Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F842c54e8-c2f9-4d79-ae8d-38d8b8019373) \|This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Windows Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e) \|This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Integrated Analysis of Audit Records ID: NIST SP 800-53 Rev. 5 AU-6 (5) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Linux Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F842c54e8-c2f9-4d79-ae8d-38d8b8019373) \|This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Windows Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e) \|This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Audit Record Retention ID: NIST SP 800-53 Rev. 5 AU-11 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Audit Record Generation ID: NIST SP 800-53 Rev. 5 AU-12 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Linux Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F842c54e8-c2f9-4d79-ae8d-38d8b8019373) \|This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Windows Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e) \|This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### System-wide and Time-correlated Audit Trail ID: NIST SP 800-53 Rev. 5 AU-12 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) \|Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). \|AuditIfNotExists, Disabled \|[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Linux Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F842c54e8-c2f9-4d79-ae8d-38d8b8019373) \|This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json) \| \|[\[Preview\]: Log Analytics extension should be installed on your Windows Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e) \|This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. \|AuditIfNotExists, Disabled \|[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json) \| initiative definition. \|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) \|Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) \| \|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) \|Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) \| +\|[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) \|Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) \| \|[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) \| \|[Resource logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) \|Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised \|AuditIfNotExists, Disabled \|[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) \| initiative definition. ### Configuration Settings ID: NIST SP 800-53 Rev. 5 CM-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Least Functionality ID: NIST SP 800-53 Rev. 5 CM-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Prevent Program Execution ID: NIST SP 800-53 Rev. 5 CM-7 (2) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Authorized Software ??? Allow-by-exception ID: NIST SP 800-53 Rev. 5 CM-7 (5) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Software Usage Restrictions ID: NIST SP 800-53 Rev. 5 CM-10 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### User-installed Software ID: NIST SP 800-53 Rev. 5 CM-11 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Alternate Storage Site ID: NIST SP 800-53 Rev. 5 CP-6 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Separation from Primary Site ID: NIST SP 800-53 Rev. 5 CP-6 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Alternate Processing Site ID: NIST SP 800-53 Rev. 5 CP-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### System Backup ID: NIST SP 800-53 Rev. 5 CP-9 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Identification and Authentication (organizational Users) ID: NIST SP 800-53 Rev. 5 IA-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Multi-factor Authentication to Privileged Accounts ID: NIST SP 800-53 Rev. 5 IA-2 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Multi-factor Authentication to Non-privileged Accounts ID: NIST SP 800-53 Rev. 5 IA-2 (2) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Identifier Management ID: NIST SP 800-53 Rev. 5 IA-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Authenticator Management ID: NIST SP 800-53 Rev. 5 IA-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Password-based Authentication ID: NIST SP 800-53 Rev. 5 IA-5 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. \|[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) \|This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|deployIfNotExists \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) \| \|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) \|This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|deployIfNotExists \|[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) \| -### Password-based Authentication +## Incident Response -ID: NIST SP 800-53 Rev. 5 IA-5 (1) +### Incident Handling + +ID: NIST SP 800-53 Rev. 5 IR-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. \|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) \|Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) \| \|[Subscriptions should have a contact email address for security issues](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7) \|To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. \|AuditIfNotExists, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json) \| -## Incident Response - ### Incident Monitoring ID: NIST SP 800-53 Rev. 5 IR-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Vulnerability Monitoring and Scanning ID: NIST SP 800-53 Rev. 5 RA-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Security Function Isolation ID: NIST SP 800-53 Rev. 5 SC-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Denial-of-service Protection ID: NIST SP 800-53 Rev. 5 SC-5 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Boundary Protection ID: NIST SP 800-53 Rev. 5 SC-7 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Access Points ID: NIST SP 800-53 Rev. 5 SC-7 (3) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Transmission Confidentiality and Integrity ID: NIST SP 800-53 Rev. 5 SC-8 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Protection ID: NIST SP 800-53 Rev. 5 SC-8 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Key Establishment and Management ID: NIST SP 800-53 Rev. 5 SC-12 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Protection of Information at Rest ID: NIST SP 800-53 Rev. 5 SC-28 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Cryptographic Protection ID: NIST SP 800-53 Rev. 5 SC-28 (1) +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Flaw Remediation ID: NIST SP 800-53 Rev. 5 SI-2 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Malicious Code Protection ID: NIST SP 800-53 Rev. 5 SI-3 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### System Monitoring ID: NIST SP 800-53 Rev. 5 SI-4 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| initiative definition. ### Memory Protection ID: NIST SP 800-53 Rev. 5 SI-16 +Ownership: Shared \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\|
governance	Pci Dss 3 2 1	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/pci-dss-3-2-1.md	+ + Title: Regulatory Compliance details for PCI DSS 3.2.1 +description: Details of the PCI DSS 3.2.1 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Last updated : 03/10/2022+++ +# Details of the PCI DSS 3.2.1 Regulatory Compliance built-in initiative + +The following article details how the Azure Policy Regulatory Compliance built-in initiative +definition maps to compliance domains and controls in PCI DSS 3.2.1. +For more information about this compliance standard, see +[PCI DSS 3.2.1](https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf). To understand +_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and +[Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md). + +The following mappings are to the PCI DSS 3.2.1 controls. Use the +navigation on the right to jump directly to a specific compliance domain. Many of the controls +are implemented with an [Azure Policy](../overview.md) initiative definition. To review the complete +initiative definition, open Policy in the Azure portal and select the Definitions page. +Then, find and select the PCI v3.2.1:2018 Regulatory Compliance built-in +initiative definition. + +> [!IMPORTANT] +> Each control below is associated with one or more [Azure Policy](../overview.md) definitions. +> These policies may help you [assess compliance](../how-to/get-compliance-data.md) with the +> control; however, there often is not a one-to-one or complete match between a control and one or +> more policies. As such, Compliant in Azure Policy refers only to the policy definitions +> themselves; this doesn't ensure you're fully compliant with all requirements of a control. In +> addition, the compliance standard includes controls that aren't addressed by any Azure Policy +> definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your +> overall compliance status. The associations between compliance domains, controls, and Azure Policy +> definitions for this compliance standard may change over time. To view the change history, see the +> [GitHub Commit History](https://github.com/Azure/azure-policy/commits/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/PCIv3_2_1_2018_audit.json). + +## Requirement 1 + +### PCI DSS requirement 1.3.2 + +ID: PCI DSS v3.2.1 1.3.2 +Ownership: customer + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) \|Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) \| +\|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) \|Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges \|Audit, Deny, Disabled \|[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) \| + +### PCI DSS requirement 1.3.4 + +ID: PCI DSS v3.2.1 1.3.4 +Ownership: customer + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) \|Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) \| +\|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) \|Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges \|Audit, Deny, Disabled \|[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) \| + +### PCI DSS requirement 1.3.4 + +ID: PCI DSS v3.2.1 1.3.4 +Ownership: customer + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) \|Audit diagnostic setting for selected resource types \|AuditIfNotExists \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) \| +\|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| +\|[Storage accounts should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F37e0d2fe-28a5-43d6-a273-67d37d1f5606) \|Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json) \| +\|[Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1d84d5fb-01f6-4d12-ba4f-4a26081d403d) \|Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json) \| + +## Requirement 10 + +### PCI DSS requirement 10.5.4 + +ID: PCI DSS v3.2.1 10.5.4 +Ownership: shared + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) \|Audit diagnostic setting for selected resource types \|AuditIfNotExists \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) \| +\|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) \|Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) \| +\|[Storage accounts should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F37e0d2fe-28a5-43d6-a273-67d37d1f5606) \|Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json) \| +\|[Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1d84d5fb-01f6-4d12-ba4f-4a26081d403d) \|Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json) \| + +## Requirement 11 + +### PCI DSS requirement 11.2.1 + +ID: PCI DSS v3.2.1 11.2.1 +Ownership: shared + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| +\|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) \|Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) \| +\|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) \|Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) \| +\|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) \|Missing security system updates on your servers will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) \| +\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| + +## Requirement 3 + +### PCI DSS requirement 3.2 + +ID: PCI DSS v3.2.1 3.2 +Ownership: customer + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) \|Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) \| +\|[Audit usage of custom RBAC rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) \|Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) \| +\|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) \|External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) \| +\|[External accounts with read permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f76cf89-fbf2-47fd-a3f4-b891fa780b60) \|External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) \| +\|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) \|External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) \| +\|[MFA should be enabled accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) \|Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) \| +\|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) \|Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) \| + +### PCI DSS requirement 3.4 + +ID: PCI DSS v3.2.1 3.4 +Ownership: customer + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) \|Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) \| +\|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) \|It is important to enable encryption of Automation account variable assets when storing sensitive data \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) \| +\|[Function App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) \|Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) \| +\|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) \|Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) \| +\|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) \|Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking \|Audit, Deny, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) \| +\|[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) \|Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) \| +\|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) \|Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) \| +\|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) \|By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) \|AuditIfNotExists, Disabled \|[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) \| +\|[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) \|Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) \| + +## Requirement 4 + +### PCI DSS requirement 4.1 + +ID: PCI DSS v3.2.1 4.1 +Ownership: customer + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) \|Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) \| +\|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) \|It is important to enable encryption of Automation account variable assets when storing sensitive data \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) \| +\|[Function App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) \|Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) \| +\|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) \|Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) \| +\|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) \|Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking \|Audit, Deny, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) \| +\|[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) \|Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) \| +\|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) \|Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) \| +\|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) \|By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) \|AuditIfNotExists, Disabled \|[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) \| +\|[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) \|Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) \| + +## Requirement 5 + +### PCI DSS requirement 5.1 + +ID: PCI DSS v3.2.1 5.1 +Ownership: shared + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| +\|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) \|Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) \| +\|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) \|Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) \| +\|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) \|Missing security system updates on your servers will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) \| +\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| + +## Requirement 6 + +### PCI DSS requirement 6.2 + +ID: PCI DSS v3.2.1 6.2 +Ownership: shared + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| +\|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) \|Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) \| +\|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) \|Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) \| +\|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) \|Missing security system updates on your servers will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) \| +\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| + +### PCI DSS requirement 6.5.3 + +ID: PCI DSS v3.2.1 6.5.3 +Ownership: shared + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) \|Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) \| +\|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) \|It is important to enable encryption of Automation account variable assets when storing sensitive data \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) \| +\|[Function App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) \|Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) \| +\|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) \|Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking \|Audit, Deny, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) \| +\|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) \|Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking \|Audit, Deny, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) \| +\|[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) \|Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed \|Audit, Deny, Disabled \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) \| +\|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) \|Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) \| +\|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) \|By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) \|AuditIfNotExists, Disabled \|[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) \| +\|[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) \|Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) \| + +### PCI DSS requirement 6.6 + +ID: PCI DSS v3.2.1 6.6 +Ownership: shared + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) \|Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) \| +\|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) \|Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) \| +\|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) \|Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) \| +\|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) \|Missing security system updates on your servers will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) \| +\|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) \|Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) \| + +## Requirement 7 + +### PCI DSS requirement 7.1.1 + +ID: PCI DSS v3.2.1 7.1.1 +Ownership: customer + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) \|It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) \| +\|[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) \|It is recommended to designate more than one subscription owner in order to have administrator access redundancy. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) \| + +### PCI DSS requirement 7.1.2 + +ID: PCI DSS v3.2.1 7.1.2 +Ownership: shared + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) \|It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) \| +\|[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) \|It is recommended to designate more than one subscription owner in order to have administrator access redundancy. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) \| + +### PCI DSS requirement 7.1.3 + +ID: PCI DSS v3.2.1 7.1.3 +Ownership: customer + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) \|It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) \| +\|[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) \|It is recommended to designate more than one subscription owner in order to have administrator access redundancy. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) \| + +### PCI DSS requirement 7.2.1 + +ID: PCI DSS v3.2.1 7.2.1 +Ownership: customer + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) \|Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) \| +\|[Audit usage of custom RBAC rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) \|Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) \| +\|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) \|External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) \| +\|[External accounts with read permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f76cf89-fbf2-47fd-a3f4-b891fa780b60) \|External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) \| +\|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) \|External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) \| +\|[MFA should be enabled accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) \|Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) \| +\|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) \|Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) \| + +## Requirement 8 + +### PCI DSS requirement 8.1.2 + +ID: PCI DSS v3.2.1 8.1.2 +Ownership: customer + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[Deprecated accounts should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b1cbf55-e8b6-442f-ba4c-7246b6381474) \|Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json) \| +\|[Deprecated accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Febb62a0c-3560-49e1-89ed-27e074e9f8ad) \|Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json) \| +\|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) \|External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) \| +\|[External accounts with read permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f76cf89-fbf2-47fd-a3f4-b891fa780b60) \|External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) \| +\|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) \|External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) \| + +### PCI DSS requirement 8.1.3 + +ID: PCI DSS v3.2.1 8.1.3 +Ownership: customer + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[Deprecated accounts should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b1cbf55-e8b6-442f-ba4c-7246b6381474) \|Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json) \| +\|[Deprecated accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Febb62a0c-3560-49e1-89ed-27e074e9f8ad) \|Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json) \| + +### PCI DSS requirement 8.1.5 + +ID: PCI DSS v3.2.1 8.1.5 +Ownership: shared + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[Deprecated accounts should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b1cbf55-e8b6-442f-ba4c-7246b6381474) \|Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json) \| +\|[Deprecated accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Febb62a0c-3560-49e1-89ed-27e074e9f8ad) \|Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json) \| +\|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) \|External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) \| +\|[External accounts with read permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f76cf89-fbf2-47fd-a3f4-b891fa780b60) \|External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) \| +\|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) \|External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) \| + +### PCI DSS requirement 8.2.3 + +ID: PCI DSS v3.2.1 8.2.3 +Ownership: customer + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) \| +\|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) \| +\|[Audit Windows machines that allow re-use of the previous 24 passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b054a0d-39e2-4d53-bea3-9734cad2c69b) \|Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEnforce_AINE.json) \| +\|[Audit Windows machines that do not have a maximum password age of 70 days](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ceb8dc2-559c-478b-a15b-733fbf1e3738) \|Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMaximumPassword_AINE.json) \| +\|[Audit Windows machines that do not restrict the minimum password length to 14 characters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa2d0e922-65d0-40c4-8f87-ea6da2d307a2) \|Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordLength_AINE.json) \| +\|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) \|This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|deployIfNotExists \|[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) \| + +### PCI DSS requirement 8.2.5 + +ID: PCI DSS v3.2.1 8.2.5 +Ownership: customer + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) \| +\|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) \|This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|modify \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) \| +\|[Audit Windows machines that allow re-use of the previous 24 passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b054a0d-39e2-4d53-bea3-9734cad2c69b) \|Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEnforce_AINE.json) \| +\|[Audit Windows machines that do not have a maximum password age of 70 days](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ceb8dc2-559c-478b-a15b-733fbf1e3738) \|Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMaximumPassword_AINE.json) \| +\|[Audit Windows machines that do not restrict the minimum password length to 14 characters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa2d0e922-65d0-40c4-8f87-ea6da2d307a2) \|Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters \|AuditIfNotExists, Disabled \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordLength_AINE.json) \| +\|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) \|This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). \|deployIfNotExists \|[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) \| + +### PCI DSS requirement 8.3.1 + +ID: PCI DSS v3.2.1 8.3.1 +Ownership: shared + +\|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| +\|\|\|\|\| +\|[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) \|Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) \| +\|[Audit usage of custom RBAC rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) \|Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling \|Audit, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) \| +\|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) \|External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) \| +\|[External accounts with read permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f76cf89-fbf2-47fd-a3f4-b891fa780b60) \|External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) \| +\|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) \|External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) \| +\|[MFA should be enabled accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) \|Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) \| +\|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) \|Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. \|AuditIfNotExists, Disabled \|[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) \| + +## Next steps + +Additional articles about Azure Policy: + +- [Regulatory Compliance](../concepts/regulatory-compliance.md) overview. +- See the [initiative definition structure](../concepts/initiative-definition-structure.md). +- Review other examples at [Azure Policy samples](./index.md). +- Review [Understanding policy effects](../concepts/effects.md). +- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
governance	Rmit Malaysia	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/rmit-malaysia.md	Title: Regulatory Compliance details for RMIT Malaysia description: Details of the RMIT Malaysia Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022 initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[\[Deprecated\]: Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) \|Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised \|AuditIfNotExists, Disabled \|[2.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit_v2_deprecated.json) \| \|[Activity log should be retained for at least one year](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb02aacc0-b073-424e-8298-42b22829ee0a) \|This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLogRetention_365orGreater.json) \| \|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) \|Audit diagnostic setting for selected resource types \|AuditIfNotExists \|[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) \| \|[Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1a4e592a-6a6e-44a5-9814-e36264ca96e7) \|This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' \|AuditIfNotExists, Disabled \|[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllCategories.json) \| initiative definition. \|Name<br /><sub>(Azure portal)</sub> \|Description \|Effect(s) \|Version<br /><sub>(GitHub)</sub> \| \|\|\|\|\| -\|[Azure SQL Database should have the minimal TLS version of 1.2](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32e6bbec-16b6-44c2-be37-c5b672d103cf) \|Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. \|Audit, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_MiniumTLSVersion_Audit.json) \| +\|[Azure SQL Database should be running TLS version 1.2 or newer](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32e6bbec-16b6-44c2-be37-c5b672d103cf) \|Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. \|Audit, Disabled, Deny \|[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_MiniumTLSVersion_Audit.json) \| \|[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) \|Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. \|Audit, Disabled \|[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) \| \|[Kubernetes cluster pods should only use approved host network and port range](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F82985f06-dc18-4a48-bc1c-b9f4f0098cfe) \|Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). \|audit, deny, disabled \|[4.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json) \| \|[Kubernetes cluster services should listen only on allowed ports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F233a2a17-77ca-4fb1-9b6b-69223d272a44) \|Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). \|audit, deny, disabled \|[6.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ServiceAllowedPorts.json) \|
governance	Ukofficial Uknhs	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/ukofficial-uknhs.md	Title: Regulatory Compliance details for UK OFFICIAL and UK NHS description: Details of the UK OFFICIAL and UK NHS Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 02/15/2022 Last updated : 03/10/2022
healthcare-apis	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure API for FHIR description: Lists Azure Policy Regulatory Compliance controls available for Azure API for FHIR. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
healthcare-apis	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Healthcare APIs FHIR service description: Lists Azure Policy Regulatory Compliance controls available. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
iot-hub	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure IoT Hub description: Lists Azure Policy Regulatory Compliance controls available for Azure IoT Hub. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
key-vault	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Key Vault description: Lists Azure Policy Regulatory Compliance controls available for Azure Key Vault. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
load-balancer	Tutorial Load Balancer Port Forwarding Portal	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/tutorial-load-balancer-port-forwarding-portal.md	Title: "Tutorial: Create a single instance inbound NAT rule - Azure portal" + Title: "Tutorial: Create a single virtual machine inbound NAT rule - Azure portal" description: This tutorial shows how to configure port forwarding using Azure Load Balancer to create a connection to a single virtual machine in an Azure virtual network. Last updated 03/08/2022 -# Tutorial: Create a single instance inbound NAT rule using the Azure portal +# Tutorial: Create a single virtual machine inbound NAT rule using the Azure portal Inbound NAT rules allow you to connect to virtual machines (VMs) in an Azure virtual network by using an Azure Load Balancer public IP address and port number. A virtual network and subnet is required for the resources in the tutorial. In t \| NIC network security group \| Select Advanced. \| \| Configure network security group \| Select the existing myNSG \| -## Create load balancer +## Create a load balancer You'll create a load balancer in this section. The frontend IP, backend pool, load-balancing, and inbound NAT rules are configured as part of the creation. You'll create a load balancer in this section. The frontend IP, backend pool, lo 33. Select Create. -## Create NAT gateway +## Create a NAT gateway In this section, you'll create a NAT gateway for outbound internet access for resources in the virtual network.
logic-apps	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Logic Apps description: Lists Azure Policy Regulatory Compliance controls available for Azure Logic Apps. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
machine-learning	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Machine Learning description: Lists Azure Policy Regulatory Compliance controls available for Azure Machine Learning. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
mariadb	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mariadb/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Database for MariaDB description: Lists Azure Policy Regulatory Compliance controls available for Azure Database for MariaDB. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
media-services	Job Cancel How To	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/media-services/latest/job-cancel-how-to.md	Use the following methods to cancel a job. ## [CLI](#tab/cli/) ## [REST](#tab/rest/) + +## [Python](#tab/python/) +
media-services	Job Create How To	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/media-services/latest/job-create-how-to.md	Title: Create a job with Media Services -description: The article shows how to create a Job using different methods. +description: The article shows how to create a Media Services job using different methods. Previously updated : 03/01/2022 Last updated : 03/11/2022 [!INCLUDE [media services api v3 logo](./includes/v3-hr.md)] -In Media Services v3, when you submit Jobs to process your videos, you have to tell Media Services where to find the input video. One of the options is to specify an HTTPS URL as a job input (as shown in this article). +The article shows how to create a Media Services job using different methods. + ## Prerequisites In Media Services v3, when you submit Jobs to process your videos, you have to t ## [Portal](#tab/portal/) ## [CLI](#tab/cli/) ## [REST](#tab/rest/) + +## [Python](#tab/python/) +
media-services	Job Delete How To	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/media-services/latest/job-delete-how-to.md	[!INCLUDE [media services api v3 logo](./includes/v3-hr.md)] + ## Methods Use the following methods to delete a job. ## [CLI](#tab/cli/) ## [REST](#tab/rest/) + +## [Python](#tab/python/) +
media-services	Job List How To	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/media-services/latest/job-list-how-to.md	Previously updated : 03/10/2022 Last updated : 03/11/2022 [!INCLUDE [media services api v3 logo](./includes/v3-hr.md)] + ## Methods Use the following methods to list jobs. ## [CLI](#tab/cli/) ## [REST](#tab/rest/) + +## [Python](#tab/python/) +
media-services	Job Show How To	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/media-services/latest/job-show-how-to.md	Previously updated : 03/10/2022 Last updated : 03/11/2022 [!INCLUDE [media services api v3 logo](./includes/v3-hr.md)] + ## Methods Use the following methods to show or get a job. ## [CLI](#tab/cli/) ## [REST](#tab/rest/) + +## [Python](#tab/python/) +
media-services	Job Update How To	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/media-services/latest/job-update-how-to.md	Previously updated : 03/10/2022 Last updated : 03/11/2022 [!INCLUDE [media services api v3 logo](./includes/v3-hr.md)] + ## Methods Use the following methods to update a job. ## [CLI](#tab/cli/) ## [REST](#tab/rest/) + +## [Python](#tab/python/) +
migrate	Migrate Support Matrix Hyper V	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/migrate-support-matrix-hyper-v.md	In addition to discovering servers, Azure Migrate: Discovery and assessment can Support \| Details \| Supported servers \| You can perform software inventory on up to 5,000 servers running across Hyper-V host(s)/cluster(s) added to each Azure Migrate appliance. -Operating systems \| All Windows and Linux versions with [Hyper-V integration services](/virtualization/hyper-v-on-windows/about/supported-guest-os.md) enabled. +Operating systems \| All Windows and Linux versions with [Hyper-V integration services](/virtualization/hyper-v-on-windows/about/supported-guest-os) enabled. Server requirements \| Windows servers must have PowerShell remoting enabled and PowerShell version 2.0 or later installed. <br/><br/> WMI must be enabled and available on Windows servers to gather the details of the roles and features installed on the servers.<br/><br/> Linux servers must have SSH connectivity enabled and ensure that the following commands can be executed on the Linux servers to pull the application data: list, tail, awk, grep, locate, head, sed, ps, print, sort, uniq. Based on OS type and the type of package manager being used, here are some additional commands: rpm/snap/dpkg, yum/apt-cache, mssql-server. Server access \| You can add multiple domain and non-domain (Windows/Linux) credentials in the appliance configuration manager for software inventory.<br /><br /> You must have a guest user account for Windows servers and a standard user account (non-`sudo` access) for all Linux servers. Port access \| For Windows server, need access on port 5985 (HTTP) and for Linux servers, need access on port 22(TCP). Support \| Details Support \| Details \| Supported servers \| You can enable agentless dependency analysis on up to 1000 servers (across multiple Hyper-V hosts/clusters), discovered per appliance. -Operating systems \| All Windows and Linux versions with [Hyper-V integration services](/virtualization/hyper-v-on-windows/about/supported-guest-os.md) enabled. +Operating systems \| All Windows and Linux versions with [Hyper-V integration services](/virtualization/hyper-v-on-windows/about/supported-guest-os) enabled. Server requirements \| Windows servers must have PowerShell remoting enabled and PowerShell version 2.0 or later installed. <br/><br/> Linux servers must have SSH connectivity enabled and ensure that the following commands can be executed on the Linux servers: touch, chmod, cat, ps, grep, echo, sha256sum, awk, netstat, ls, sudo, dpkg, rpm, sed, getcap, which, date. Windows server access \| A user account (local or domain) with administrator permissions on servers. Linux server access \| A root user account, or an account that has these permissions on /bin/netstat and /bin/ls files: <br />CAP_DAC_READ_SEARCH<br /> CAP_SYS_PTRACE<br /><br /> Set these capabilities by using the following commands:<br /><code>sudo setcap CAP_DAC_READ_SEARCH,CAP_SYS_PTRACE=ep /bin/ls<br /> sudo setcap CAP_DAC_READ_SEARCH,CAP_SYS_PTRACE=ep /bin/netstat</code> Support \| Details ## Next steps -[Prepare for assessment of servers running on Hyper-V](./tutorial-discover-hyper-v.md). +[Prepare for assessment of servers running on Hyper-V](./tutorial-discover-hyper-v.md).
mysql	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Database for MySQL description: Lists Azure Policy Regulatory Compliance controls available for Azure Database for MySQL. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
networking	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/networking/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure networking services description: Lists Azure Policy Regulatory Compliance controls available for Azure networking services. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
postgresql	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Database for PostgreSQL description: Lists Azure Policy Regulatory Compliance controls available for Azure Database for PostgreSQL. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
purview	Abap Functions Deployment Guide	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/purview/abap-functions-deployment-guide.md	Title: SAP ABAP function module deployment guide - Azure Purview -description: This article outlines the steps to deploy ABAP function module in SAP Server +description: This article outlines the steps to deploy the ABAP function module in your SAP server. Last updated 03/05/2022 # SAP ABAP function module deployment guide -When you scan [SAP ECC](register-scan-sapecc-source.md), [SAP S/4HANA](register-scan-saps4hana-source.md) and [SAP BW](register-scan-sap-bw.md) sources in Azure Purview, you need to create the dependent ABAP function module in your SAP server. Azure Purview invokes this function module to extract the metadata from your SAP system during scan. +When you scan [SAP ECC](register-scan-sapecc-source.md), [SAP S/4HANA](register-scan-saps4hana-source.md), and [SAP BW](register-scan-sap-bw.md) sources in Azure Purview, you need to create the dependent ABAP function module in your SAP server. Azure Purview invokes this function module to extract the metadata from your SAP system during scan. -This document details the steps required to deploy this module. +This article describes the steps required to deploy this module. > [!Note] -> The following instructions were compiled based on the SAP GUI v.7.2 +> The following instructions were compiled based on the SAP GUI v. 7.2. ## Prerequisites -Download the SAP ABAP function module source code from Azure Purview Studio. After you register a source for [SAP ECC](register-scan-sapecc-source.md),[SAP S/4HANA](register-scan-saps4hana-source.md) or [SAP BW](register-scan-sap-bw.md), you can find a download link on top as follows. You can also see the link when new or edit a scan. +Download the SAP ABAP function module source code from Azure Purview Studio. After you register a source for [SAP ECC](register-scan-sapecc-source.md), [SAP S/4HANA](register-scan-saps4hana-source.md), or [SAP BW](register-scan-sap-bw.md), you can find a download link on top as shown in the following image. You can also see the link when you create a new scan or edit a scan. -## Deployment of the Module +## Deploy the module -### Create a Package +Follow the instructions to deploy a module. + +### Create a package This step is optional, and an existing package can be used. -1. Log in to the SAP server and open Object Navigator (SE80 transaction). +1. Sign in to the SAP server and open Object Navigator (SE80 transaction). -2. Select option Package from the list and enter a name for the new package (for example, Z\_MITI) then press button Display. +1. Select Package from the list and enter a name for the new package. For example, use Z\_MITI. Then select Display. -3. Select Yes in the Create Package window. Consequently, a window Package Builder: Create Package opens. Enter value into Short Description field and select the Continue icon. +1. In the Create Package window, select Yes. In the Package Builder: Create Package window, enter a value in the Short Description box. Select the Continue icon. -4. Select Own Requests in the Prompt for local Workbench request window. Select development request. +1. In the Prompt for local Workbench request window, select Own Requests. Select the development request. -### Create a Function Group +### Create a function group -In Object Navigator select Function Group from the list and type its name in the input field below (for example, Z\_MITI\_FGROUP). Select the View icon. +1. In Object Navigator, select Function Group from the list and enter a name in the input box. For example, use Z\_MITI\_FGROUP. Select the View icon. -1. In Create Object window, select yes to create a new function group. +1. In the Create Object window, select yes to create a new function group. -2. Specify an appropriate description in the Short text field and press button Save. +1. Enter a description in the Short Text box and select Save. -3. Choose a package which was prepared in the previous step Create a Package and select Save. +1. Select a package that was prepared in the Create a Package step, and select Save. -4. Confirm a request by pressing icon Continue. +1. Confirm a request by selecting Continue. -5. Activate the Function Group. +1. Activate the function group. -### Create the ABAP Function Module +### Create the ABAP function module -1. Once the function group is created, select it. +1. After the function group is created, select it. -2. Select and hold (or right-click) on the function group name in repository browser, and select Create, then Function Module. +1. Select and hold (or right-click) the function group name in the repository browser. Select Create and then select Function Module. -3. In the Function Module field, enter `Z_MITI_DOWNLOAD`. Populate Short text input with proper description. +1. In the Function module box, enter Z_MITI_DOWNLOAD. Enter a description in the Short Text box. -When the module has been created, specify the following information: +After the module is created, specify the following information: -1. Navigate to the Attributes tab. +1. Go to the Attributes tab. -2. Select Processing Type as Remote-Enabled Function Module. +1. Under Processing Type, select Remote-Enabled Module. - :::image type="content" source="media/abap-functions-deployment-guide/processing-type.png" alt-text="Register sources option - Remote-Enabled Function Module" border="true"::: + :::image type="content" source="media/abap-functions-deployment-guide/processing-type.png" alt-text="Screenshot that shows registering the sources option as Remote-Enabled Module." border="true"::: -3. Navigate to the Source code tab. There are two ways how to deploy code for the function: +1. Go to the Source code tab. There are two ways to deploy code for the function: - a. From the main menu, upload the text file you downloaded from Azure Purview Studio as described in [Prerequisites](#prerequisites). To do so, select Utilities, More Utilities, then Upload/Download, then Upload. + 1. On the main menu, upload the text file you downloaded from Azure Purview Studio as described in [Prerequisites](#prerequisites). To do so, select Utilities > More Utilities > Upload/Download > Upload. - b. Alternatively, open the file, copy its content and paste into Source code area. + 1. Alternatively, open the file and copy and paste the contents in the Source code area. -4. Navigate to the Import tab and create the following parameters: +1. Go to the Import tab and create the following parameters: - a. P\_AREA TYPE DD02L-TABNAME (Optional = True) + 1. P\_AREA TYPE DD02L-TABNAME (Optional = True) - b. P\_LOCAL\_PATH TYPE STRING (Optional = True) + 1. P\_LOCAL\_PATH TYPE STRING (Optional = True) - c. P\_LANGUAGE TYPE L001TAB-DATA DEFAULT \'E\' + 1. P\_LANGUAGE TYPE L001TAB-DATA DEFAULT \'E\' - d. ROWSKIPS TYPE SO\_INT DEFAULT 0 + 1. ROWSKIPS TYPE SO\_INT DEFAULT 0 - e. ROWCOUNT TYPE SO\_INT DEFAULT 0 + 1. ROWCOUNT TYPE SO\_INT DEFAULT 0 > [!Note] - > Choose Pass Value for all of them - - :::image type="content" source="media/abap-functions-deployment-guide/import.png" alt-text="Register sources option - Import parameters" border="true"::: + > Select the Pass Value checkbox for all the parameters. -5. Navigate to the "Tables" tab and define the following: + :::image type="content" source="media/abap-functions-deployment-guide/import.png" alt-text="Screenshot that shows registering the sources option as Import parameters." border="true"::: - `EXPORT_TABLE LIKE TAB512` +1. Go to the Tables tab and define EXPORT_TABLE LIKE TAB512. - :::image type="content" source="media/abap-functions-deployment-guide/export-table.png" alt-text="Register sources options - Tables tab" border="true"::: + :::image type="content" source="media/abap-functions-deployment-guide/export-table.png" alt-text="Screenshot that shows the Tables tab." border="true"::: -6. Navigate to the Exceptions tab and define the following exception: `E_EXP_GUI_DOWNLOADFAILED` +1. Go to the Exceptions tab and define the exception E_EXP_GUI_DOWNLOADFAILED. - :::image type="content" source="media/abap-functions-deployment-guide/exceptions.png" alt-text="Register sources options - Exceptions tab" border="true"::: + :::image type="content" source="media/abap-functions-deployment-guide/exceptions.png" alt-text="Screenshot that shows the Exceptions tab." border="true"::: -7. Save the function (press ctrl+S or choose Function Module, then Save in the main menu). +1. Save the function by selecting Ctrl+S. Or select Function module and then select Save on the main menu. -8. Select the Activate icon on the toolbar (ctrl+F3) and select Continue button in dialog window. If prompted, you should select the generated includes to be activated along with the main function module. +1. Select the Activate icon on the toolbar and then select Continue. You can also select Ctrl+F3. If prompted, select the generated includes to be activated along with the main function module. -### Testing the Function +### Test the function -When all the previous steps are completed, follow the below steps to test the function: +After you finish the previous steps, test the function: -1. Open Z\_MITI\_DOWNLOAD function module. +1. Open the Z\_MITI\_DOWNLOAD function module. -2. Choose Function Module, then Test, then Test Function Module from the main menu (or press F8). +1. On the main menu, select Function Module > Test > Test Function Module. You can also select F8. -3. Enter a path to the folder on the local file system into parameter P\_LOCAL\_PATH and press Execute icon on the toolbar (or press F8). +1. Enter a path to the folder on the local file system in the parameter P\_LOCAL\_PATH. Then select the Execute icon on the toolbar. You can also select F8. -4. Put the name of the area of interest into P\_AREA field if a file with metadata must be downloaded or updated. When the function finishes working, the folder which has been indicated in P\_LOCAL\_PATH parameter must contain several files with metadata inside. The names of files mimic areas which can be specified in P\_AREA field. +1. Enter the name of the area of interest in the P\_AREA field if a file with metadata must be downloaded or updated. After the function finishes working, the folder indicated in the P\_LOCAL\_PATH parameter must contain several files with metadata inside. The names of files mimic areas that can be specified in the P\_AREA field. -The function will finish its execution and metadata will be downloaded much faster in case of launching it on the machine which has high-speed network connection with SAP server. +The function finishes its execution and metadata is downloaded much faster if it's launched on the machine that has a high-speed network connection with the SAP server. ## Next steps - [Register and scan SAP ECC source](register-scan-sapecc-source.md) - [Register and scan SAP S/4HANA source](register-scan-saps4hana-source.md)-- [Register and scan SAP Business Wareouse (BW) source](register-scan-sap-bw.md) +- [Register and scan SAP Business Warehouse (BW) source](register-scan-sap-bw.md)
purview	Concept Best Practices Scanning	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/purview/concept-best-practices-scanning.md	Title: Best practices for scanning of data sources in Azure Purview + Title: Best practices for scanning data sources in Azure Purview description: This article provides best practices for registering and scanning various data sources in Azure Purview. # Azure Purview scanning best practices -Azure Purview supports automated scanning of on-prem, multi-cloud, and SaaS data sources. Running a "scan" invokes the process to ingest metadata from the registered data sources. The metadata curated at the end of scan and curation process includes technical metadata like data asset names (table names/ file names), file size, columns, data lineage and so on. For structured data sources (for example Relational Database Management System) the schema details are also captured. The curation process applies automated classification labels on the schema attributes based on the scan rule set configured, and sensitivity labels if your Azure Purview account is connected to a Microsoft 365 Security & Compliance Center. +Azure Purview supports automated scanning of on-premises, multicloud, and software as a service (SaaS) data sources. + +Running a scan invokes the process to ingest metadata from the registered data sources. The metadata curated at the end of the scan and curation process includes technical metadata. This metadata can include data asset names such as table names or file names, file size, columns, and data lineage. Schema details are also captured for structured data sources. A relational database management system is an example of this type of source. + +The curation process applies automated classification labels on the schema attributes based on the scan rule set configured. Sensitivity labels are applied if your Azure Purview account is connected to the Microsoft 365 Security and Compliance Center. ## Why do you need best practices to manage data sources? -The best practices enable you to optimize cost, build operational excellence, improve security compliance and performance efficiency. -The design considerations and recommendations have been organized based on the key steps involved in the scanning process. +Best practices enable you to: -## Register source and establish connection +- Optimize cost. +- Build operational excellence. +- Improve security compliance. +- Gain performance efficiency. -### Design considerations +## Register a source and establish a connection -- The hierarchy aligning with the organizationΓÇÖs strategy (geographical, business function, source of data, etc.) defining the data sources to be registered and scanned needs to be created using Collections. +The following design considerations and recommendations help you register a source and establish a connection. -- By design, you cannot register data sources multiple times in the same Azure Purview account. This architecture helps to avoid the risk of assigning different access control to the same data source. +### Design considerations + +- Use collections to create the hierarchy that aligns with the organization's strategy, like geographical, business function, or source of data. The hierarchy defines the data sources to be registered and scanned. +- By design, you can't register data sources multiple times in the same Azure Purview account. This architecture helps to avoid the risk of assigning different access control to the same data source. ### Design recommendations -- If the metadata of the same data source is consumed by multiple teams, you can register and manage the data source at a parent collection and create corresponding scans under each subcollection, so relevant assets appear under each child collection. Sources without parents are grouped in a dotted box in the map view with no arrows linking them to parents. +- If the metadata of the same data source is consumed by multiple teams, you can register and manage the data source at a parent collection. Then you can create corresponding scans under each subcollection. In this way, relevant assets appear under each child collection. Sources without parents are grouped in a dotted box in the map view. No arrows link them to parents. :::image type="content" source="media/concept-best-practices/scanning-parent-child.png" alt-text="Screenshot that shows Azure Purview with data source registered at parent collection."::: -- Use Azure Multiple option if you need to register multiple sources (Azure subscriptions or resource groups) on Azure cloud. Refer to the below documentation for more details: +- Use the Azure Multiple option if you need to register multiple sources, such as Azure subscriptions or resource groups, in the cloud. For more information, see the following documentation: + * [Scan multiple sources in Azure Purview](./register-scan-azure-multiple-sources.md) - * [Check data source readiness at scale](./tutorial-data-sources-readiness.md) + * [Check data source readiness at scale](./tutorial-data-sources-readiness.md) * [Configure access to data sources for Azure Purview MSI at scale](./tutorial-msi-configuration.md) - -- Once a data source is registered, you may scan the same source multiple times, in case the same source is being used by different teams or business units differently -For more details on defining a hierarchy for registering data sources, refer to the [best practices on Collections architecture](./concept-best-practices-collections.md) +- After a data source is registered, you might scan the same source multiple times, in case the same source is being used differently by various teams or business units. + +For more information on how to define a hierarchy for registering data sources, see [Best practices on collections architecture](./concept-best-practices-collections.md). ## Scanning +The following design considerations and recommendations are organized based on the key steps involved in the scanning process. + ### Design considerations -- Once the data source is registered, you need to set up a scan to manage automated and secure metadata scanning and curation-- Scan set up includes configuring the name of the scan, scope of scan, integration runtime, scan trigger frequency, scan rule set, and resource set uniquely for each data source per scan frequency.-- Before creating any credentials, consider your data source types and networking requirements to decide which authentication method and integration runtime is needed for your scenario. +- After the data source is registered, set up a scan to manage automated and secure metadata scanning and curation. +- Scan setup includes configuring the name of the scan, scope of scan, integration runtime, scan trigger frequency, scan rule set, and resource set uniquely for each data source per scan frequency. +- Before you create any credentials, consider your data source types and networking requirements. This information helps you decide which authentication method and integration runtime you need for your scenario. ### Design recommendations -To avoid unexpected cost and rework, it is recommended to plan and follow the below order when setting up scan, after registering your source in the relevant [collection](./how-to-create-and-manage-collections.md): +After you register your source in the relevant [collection](./how-to-create-and-manage-collections.md), plan and follow the order shown here when you set up the scan. This process order helps you to avoid unexpected costs and rework. :::image type="content" source="media/concept-best-practices/scanning-scan-order.png" alt-text="Screenshot that shows the order to be followed while preparing a scan."::: -1. Identify your classification requirements from the system in-built classification rules and/or create specific custom classification rules as necessary, based on the specific industry, business, and / or regional requirements (which are not available out-of-the-box) - - Refer [Classification best practices](./concept-best-practices-classification.md) - - Refer for details on how to [create a custom classification and classification rule](./create-a-custom-classification-and-classification-rule.md) +1. Identify your classification requirements from the system in-built classification rules. Or you can create specific custom classification rules, as necessary. Base them on specific industry, business, or regional requirements, which aren't available out of the box: + - See the [classification best practices](./concept-best-practices-classification.md). + - See how to [create a custom classification and classification rule](./create-a-custom-classification-and-classification-rule.md). -2. Create scan rule sets before configuring the scan +1. Create scan rule sets before you configure the scan. :::image type="content" source="media/concept-best-practices/scanning-create-scan-rule-set.png" alt-text="Screenshot that shows the Scan rule sets under Data map."::: - While creating the scan rule set, ensure the following: - - Verify if the system default scan rule set suffices for the data source being scanned, else define your custom scan rule set - - Custom scan rule set can include both system default and custom, hence uncheck those not relevant for the data assets being scanned - - Where necessary, create a custom rule set to exclude unwanted classification labels. For example, the system rule set contains generic government code patterns for the globe, not just the US; so, your data may match the pattern of some other type as well such as ΓÇ£Belgium DriverΓÇÖs License NumberΓÇ¥ - - Limit custom classification rules to most important and relevant labels, to avoid clutter(too many labels tagged to the asset) - - If you modify custom classification or scan rule set, a full scan would be triggered. Hence it is recommended to configure classification and scan rule set appropriately to avoid rework and costly full scans + When you create the scan rule set, ensure the following points: + - Verify if the system default scan rule set is sufficient for the data source being scanned. Otherwise, define your custom scan rule set. + - The custom scan rule set can include both system default and custom, so clear those options not relevant for the data assets being scanned. + - Where necessary, create a custom rule set to exclude unwanted classification labels. For example, the system rule set contains generic government code patterns for the planet, not just the United States. Your data might match the pattern of some other type, such as "Belgium Driver's License Number." + - Limit custom classification rules to most important and relevant labels to avoid clutter. You don't want to have too many labels tagged to the asset. + - If you modify the custom classification or scan rule set, a full scan is triggered. Configure the classification and scan rule set appropriately to avoid rework and costly full scans. - :::image type="content" source="media/concept-best-practices/scanning-create-custom-scan-rule-set.png" alt-text="Screenshot that shows the option to select relevant classification rules while creating the custom scan rule set."::: - + :::image type="content" source="media/concept-best-practices/scanning-create-custom-scan-rule-set.png" alt-text="Screenshot that shows the option to select relevant classification rules when you create the custom scan rule set."::: - > [!NOTE] - > When scanning a storage account, Azure Purview uses a set of defined patterns to determine if a group of assets forms a resource set. Resource set pattern rules allow you to customize or override how Azure Purview detects which assets are grouped as resource sets and how they are displayed within the catalog. - > Refer [How to create resource set pattern rules](./how-to-resource-set-pattern-rules.md) for more details. - > This feature has cost considerations, refer to the [pricing page](https://azure.microsoft.com/pricing/details/azure-purview/) for details. + > [!NOTE] + > When you scan a storage account, Azure Purview uses a set of defined patterns to determine if a group of assets forms a resource set. You can use resource set pattern rules to customize or override how Azure Purview detects which assets are grouped as resource sets. The rules also determine how the assets are displayed within the catalog. + > For more information, see [Create resource set pattern rules](./how-to-resource-set-pattern-rules.md). + > This feature has cost considerations. For information, see the [pricing page](https://azure.microsoft.com/pricing/details/azure-purview/). -3. Set up a scan for the registered data source(s) - - Scan name: By default, Azure Purview uses a naming convention SCAN-[A-Z][a-z][a-z] which is not helpful when trying to identify a scan that you have run. As a best practice, use a meaningful naming convention. An instance could be naming the scan as _environment-source-frequency-time_, for example DEVODS-Daily-0200, which would represent a daily scan at 0200 hrs. +1. Set up a scan for the registered data sources. + - Scan name: By default, Azure Purview uses the naming convention SCAN-[A-Z][a-z][a-z], which isn't helpful when you're trying to identify a scan that you've run. Be sure to use a meaningful naming convention. For instance, you could name the scan _environment-source-frequency-time_ as DEVODS-Daily-0200. This name represents a daily scan at 0200 hours. - - Authentication: Azure Purview offers various authentication methods for scanning the data sources, depending on the type of source (Azure cloud or on-prem or third-party sources). It is recommended to follow the least privilege principle for authentication method following below order of preference: - - Azure Purview MSI - Managed Identity (for example, for Azure Data Lake Gen2 sources) - - User-assigned Managed Identity - - Service Principal - - SQL Authentication (for example, for on-prem or Azure SQL sources) - - Account key or Basic Authentication (for example, for SAP S/4HANA sources) + - Authentication: Azure Purview offers various authentication methods for scanning data sources, depending on the type of source. It could be Azure cloud or on-premises or third-party sources. Follow the least-privilege principle for the authentication method in this order of preference: + - Azure Purview MSI - Managed Service Identity (for example, for Azure Data Lake Storage Gen2 sources) + - User-assigned managed identity + - Service principal + - SQL authentication (for example, for on-premises or Azure SQL sources) + - Account key or basic authentication (for example, for SAP S/4HANA sources) - For details, see the how-to guide to [manage credentials](./manage-credentials.md). + For more information, see the how-to guide to [manage credentials](./manage-credentials.md). > [!Note] - > If you have firewall enabled for the storage account, you must use Managed Identity authentication method when setting up a scan. - > While setting up a new credential, the credential name can only contain _letters, numbers, underscores and hyphens_. + > If you have a firewall enabled for the storage account, you must use the managed identity authentication method when you set up a scan. + > When you set up a new credential, the credential name can only contain _letters, numbers, underscores, and hyphens_. - Integration runtime - - Refer to [Network architecture best practices](./concept-best-practices-network.md#integration-runtime-options). - - If SHIR is deleted, any ongoing scans relying on it will fail. - - While using SHIR, ensure that the memory is sufficient for the data source being scanned. For example, when using SHIR for scanning SAP source, if you observe "out of memory error": - - Ensure the SHIR machine has enough memory (it is recommended to have 128 GB) - - In the scan setting, set the maximum memory Available as some appropriate value (for example, 100) - - For details, refer the Prerequisites in [this](./register-scan-sapecc-source.md#create-and-run-scan) document - - - Scope scan: - - While setting up the scope for the scan, select only the assets, which are relevant at granular level or parent level. This will ensure that the scan cost is optimal and performance is efficient. All future assets under a certain parent will be automatically selected if the parent is fully or partially checked. + - For more information, see [Network architecture best practices](./concept-best-practices-network.md#integration-runtime-options). + - If self-hosted integration runtime (SHIR) is deleted, any ongoing scans that rely on it will fail. + - When you use SHIR, make sure that the memory is sufficient for the data source being scanned. For example, when you use SHIR for scanning an SAP source, if you see "out of memory error": + - Ensure the SHIR machine has enough memory. The recommended amount is 128 GB. + - In the scan setting, set the maximum memory available as some appropriate value, for example, 100. + - For more information, see the prerequisites in [Scan to and manage SAP ECC Azure Purview](./register-scan-sapecc-source.md#create-and-run-scan). + + - Scope scan + - When you set up the scope for the scan, select only the assets that are relevant at a granular level or parent level. This practice ensures that the scan cost is optimal and performance is efficient. All future assets under a certain parent will be automatically selected if the parent is fully or partially checked. - Some examples for some data sources: - - For Azure SQL Database or ADLS Gen2, you can scope your scan to specific parts of the data source such as folders, subfolders, collections, or schemas by checking the appropriate items in the list. - - For Oracle, Hive Metastore Database and Teradata sources, specific list of schemas to be exported can be specified through semi-colon separated values or through schema name patterns using SQL LIKE expressions. - - For Google Big query, specific list of datasets to be exported can be specified through semi-colon separated values. - - When creating a scan for an entire AWS account, you can select specific buckets to scan. When creating a scan for a specific AWS S3 bucket, you can select specific folders to scan. - - For Erwin, you may scope your scan by providing a semicolon separated list of Erwin model locator strings. - - For Cassandra, specific list of key spaces to be exported can be specified through semi-colon separated values or through key spaces name patterns using SQL LIKE expressions. - - For Looker, you may scope your scan by providing a semicolon separated list of Looker projects. - - For Power BI tenant, you may only specify whether to include or exclude personal workspace. + - For Azure SQL Database or Data Lake Storage Gen2, you can scope your scan to specific parts of the data source. Select the appropriate items in the list, such as folders, subfolders, collections, or schemas. + - For Oracle, Hive Metastore Database, and Teradata sources, a specific list of schemas to be exported can be specified through semicolon-separated values or schema name patterns by using SQL LIKE expressions. + - For Google Big query, a specific list of datasets to be exported can be specified through semicolon-separated values. + - When you create a scan for an entire AWS account, you can select specific buckets to scan. When you create a scan for a specific AWS S3 bucket, you can select specific folders to scan. + - For Erwin, you can scope your scan by providing a semicolon-separated list of Erwin model locator strings. + - For Cassandra, a specific list of key spaces to be exported can be specified through semicolon-separated values or through key spaces name patterns by using SQL LIKE expressions. + - For Looker, you can scope your scan by providing a semicolon-separated list of Looker projects. + - For Power BI tenant, you might only specify whether to include or exclude personal workspace. :::image type="content" source="media/concept-best-practices/scanning-scope-scan.png" alt-text="Screenshot that shows the option to scope a scan while configuring the scan."::: - - - In general, it is recommended to use 'ignore patterns' (where supported) based on wild card (for example, for data lakes), to exclude temp, config files, RDBMS system tables or backup / STG tables - - When scanning documents / unstructured data, avoid scanning huge number of such documents as the scan processes the first 20 MB of such documents and may result in longer scan duration. - + - In general, use "ignore patterns," where they're supported, based on wild cards (for example, for data lakes) to exclude temp, config files, RDBMS system tables, or backup or STG tables. + - When you scan documents or unstructured data, avoid scanning a huge number of such documents. The scan processes the first 20 MB of such documents and might result in longer scan duration. - Scan rule set - - While selecting the scan rule set, ensure to configure relevant system / custom scan rule set created earlier - - There is an option to create custom filetypes and you can fill the details accordingly. Currently Azure Purview supports only one character in Custom Delimiter. If you use custom delimiters such as ~ in your actual data, you need to create a new scan rule set + - When you select the scan rule set, make sure to configure the relevant system or custom scan rule set that was created earlier. + - You can create custom filetypes and fill in the details accordingly. Currently, Azure Purview supports only one character in Custom Delimiter. If you use custom delimiters, such as ~, in your actual data, you need to create a new scan rule set. - :::image type="content" source="media/concept-best-practices/scanning-scan-rule-set.png" alt-text="Screenshot that shows the Scan rule set selection while configuring the scan."::: + :::image type="content" source="media/concept-best-practices/scanning-scan-rule-set.png" alt-text="Screenshot that shows the scan rule set selection while configuring the scan."::: - Scan type and schedule - The scan process can be configured to run full or incremental scans. - - It is recommended to run the scans during non-business or off-peak hours to avoid any processing overload on source. - - Initial scan is a full scan, and every subsequent scan is incremental. Subsequent scans may be scheduled as periodic incremental scans. - - The frequency of scans should align with the change management schedule of the data source and/or business requirements. For example: - - If the source structure could potentially change (new assets or fields within an asset are added, modified, or deleted) weekly then scan frequency should be in sync with the same. - - If the classification / sensitivity labels are expected to be up to date on a weekly basis (may be due to regulatory reasons), then scan frequency should be weekly. - For example, if partitions files are being added every week in a source data lake, then you may rather schedule monthly scans instead of weekly scans as there is no change in metadata (assuming there are no new classification scenarios) - - When scheduling a scan that is to be run on the same day it is created, the start time must be before the scan time by at least one minute. - - The maximum duration that the scan may run is seven days (possibly due to memory issues), this excludes the ingestion process. If progress has not been updated after seven days, the scan will be marked as failed. The ingestion (into catalog) process currently does not have any such limitation. + - Run the scans during non-business or off-peak hours to avoid any processing overload on the source. + - Initial scan is a full scan, and every subsequent scan is incremental. Subsequent scans can be scheduled as periodic incremental scans. + - The frequency of scans should align with the change management schedule of the data source or business requirements. For example: + - If the source structure could potentially change weekly, the scan frequency should be in sync. Changes include new assets or fields within an asset that are added, modified, or deleted. + - If the classification or sensitivity labels are expected to be up to date on a weekly basis, perhaps for regulatory reasons, the scan frequency should be weekly. + For example, if partitions files are added every week in a source data lake, you might schedule monthly scans. You don't need to schedule weekly scans because there's no change in metadata. This suggestion assumes there are no new classification scenarios. + - When you schedule a scan to run on the same day it's created, the start time must be before the scan time by at least one minute. + - The maximum duration that the scan can run is seven days, possibly because of memory issues. This time period excludes the ingestion process. If progress hasn't been updated after seven days, the scan is marked as failed. The ingestion (into catalog) process currently doesn't have any such limitation. - Canceling scans - - Currently, scans can only be canceled or paused if the status of the scan has transitioned into "In Progress" state from "Queued" after you trigger the scan. - - Cancelling an individual child scan is not supported. - + - Currently, scans can only be canceled or paused if the status of the scan has transitioned into an "In Progress" state from "Queued" after you trigger the scan. + - Canceling an individual child scan isn't supported. ### Points to note -- If a field / column, table, or a file is removed from the source system after the scan was executed, it will only be reflected (removed) in Azure Purview after the next scheduled full / incremental scan.-- An asset can be deleted from Azure Purview catalog using the delete icon under the name of the asset (this will not remove the object in the source). However, if you run full scan on the same source, it would get reingested in the catalog. If you have scheduled a weekly / monthly scan instead (incremental) the deleted asset will not be picked unless the object is modified at source (for example, a column is added / removed from the table).-- To understand the behavior of subsequent scans after manually editing a data asset or an underlying schema through Azure Purview Studio, refer to [Catalog asset details](./catalog-asset-details.md#scans-on-edited-assets).-- For more details refer the tutorial on [how to view, edit, and delete assets](./catalog-asset-details.md) +- If a field or column, table, or a file is removed from the source system after the scan was executed, it will only be reflected (removed) in Azure Purview after the next scheduled full or incremental scan. +- An asset can be deleted from an Azure Purview catalog by using the Delete icon under the name of the asset. This action won't remove the object in the source. If you run a full scan on the same source, it would get reingested in the catalog. If you've scheduled a weekly or monthly scan instead (incremental), the deleted asset won't be picked unless the object is modified at the source. An example is if a column is added or removed from the table. +- To understand the behavior of subsequent scans after manually editing a data asset or an underlying schema through Azure Purview Studio, see [Catalog asset details](./catalog-asset-details.md#scans-on-edited-assets). +- For more information, see the tutorial on [how to view, edit, and delete assets](./catalog-asset-details.md). ## Next steps-- [Manage data sources](./manage-data-sources.md)+ +[Manage data sources](./manage-data-sources.md)
purview	Concept Best Practices Sensitivity Labels	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/purview/concept-best-practices-sensitivity-labels.md	# Labeling best practices -Azure Purview supports labeling of both structured and unstructured data stored across various data sources. Labeling of data within Azure Purview allows users to easily find data that matches pre-defined auto-labeling rules that have been configured in the Microsoft 365 Security and Compliance Center (SCC). Azure Purview extends the use of Microsoft 365 sensitivity labels to assets stored in infrastructure cloud locations and structured data sources. +Azure Purview supports labeling structured and unstructured data stored across various data sources. Labeling data within Azure Purview allows users to easily find data that matches predefined autolabeling rules that were configured in the Microsoft 365 Security and Compliance Center. Azure Purview extends the use of Microsoft 365 sensitivity labels to assets stored in infrastructure cloud locations and structured data sources. -## Protect Personal Identifiable Information(PII) with Custom Sensitivity Label for Azure Purview, using Microsoft Information Protection +## Protect personal data with custom sensitivity labels for Azure Purview -Storing and processing of Personal Identifiable Information is subject to special protection. With referring to Regulations labeling of Personal Identifiable Information data is crucial to identify and label sensitive information. The detection and labeling tasks of Personal Identifiable Information can be used on different stages of your workflows and because Personal Identifiable Information is ubiquitous and fluid in your organization it is important to define identification rules for building policies that suit your individual situation +Storing and processing personal data is subject to special protection. Labeling personal data is crucial to help you identify sensitive information. You can use the detection and labeling tasks for personal data in different stages of your workflows. Because personal data is ubiquitous and fluid in your organization, you need to define identification rules for building policies that suit your individual situation. -## Why do you need to use Labeling within Azure Purview? +## Why do you need to use labeling within Azure Purview? -Azure Purview allows you to extend your organization's investment in Microsoft 365 sensitivity labels to assets that are stored in files and database columns within Azure, multi-cloud, and on premises locations defined in [Supported data sources](./create-sensitivity-label.md#supported-data-sources). -Applying sensitivity labels to your content enables you to keep your data secure by stating how sensitive certain data is in your organization. -It also abstracts the data itself, so you use labels to track the type of data, without exposing sensitive data on another platform. +With Azure Purview, you can extend your organization's investment in Microsoft 365 sensitivity labels to assets that are stored in files and database columns within Azure, multicloud, and on-premises locations. These locations are defined in [supported data sources](./create-sensitivity-label.md#supported-data-sources). +When you apply sensitivity labels to your content, you can keep your data secure by stating how sensitive certain data is in your organization. Azure Purview also abstracts the data itself, so you can use labels to track the type of data, without exposing sensitive data on another platform. -## Azure Purview Labeling best practices and considerations +## Azure Purview labeling best practices and considerations + +The following sections walk you through the process of implementing labeling for your assets. ### Get started -- Enabling sensitivity labeling in Azure Purview can be accomplished using the steps defined in [How to automatically apply sensitivity labels to your data in Azure Purview](./how-to-automatically-label-your-content.md).-- Required licensing and helpful answers to other questions can be found in the [Sensitivity labels in Azure Purview FAQ](./sensitivity-labels-frequently-asked-questions.yml). +- To enable sensitivity labeling in Azure Purview, follow the steps in [Automatically apply sensitivity labels to your data in Azure Purview](./how-to-automatically-label-your-content.md). +- To find information on required licensing and helpful answers to other questions, see [Sensitivity labels in Azure Purview FAQ](./sensitivity-labels-frequently-asked-questions.yml). ### Label considerations -- If you already have Microsoft 365 sensitivity labels in use in your environment, it is recommended that you continue to use your existing labels rather than making duplicate or more labels for Azure Purview. This approach allows you to maximize the investment you have already made in the Microsoft 365 compliance space and ensures consistent labeling across your data estate.-- If you have not yet created Microsoft 365 sensitivity labels, it is recommended that you review the documentation to [Get started with sensitivity labels](/microsoft-365/compliance/get-started-with-sensitivity-labels). Creating a classification schema is a tenant-wide operation and should be discussed thoroughly before enabling it within your organization. +- If you already have Microsoft 365 sensitivity labels in use in your environment, continue to use your existing labels. Don't make duplicate or more labels for Azure Purview. This approach allows you to maximize the investment you've already made in the Microsoft 365 compliance space. It also ensures consistent labeling across your data estate. +- If you haven't created Microsoft 365 sensitivity labels, review the documentation to [get started with sensitivity labels](/microsoft-365/compliance/get-started-with-sensitivity-labels). Creating a classification schema is a tenant-wide operation. Discuss it thoroughly before you enable it within your organization. ### Label recommendations -- When configuring sensitivity labels for Azure Purview, you may define autolabeling rules for files, database columns, or both within the label properties. Azure Purview will label files within the Azure Purview data map when the autolabeling rule is configured to automatically apply the label or recommend that the label is applied. +- When you configure sensitivity labels for Azure Purview, you might define autolabeling rules for files, database columns, or both within the label properties. Azure Purview labels files within the Azure Purview data map. When the autolabeling rule is configured, Azure Purview automatically applies the label or recommends that the label is applied. -> [!WARNING] -> If you have not already configured autolabeling for files and emails on your sensitivity labels, keep in mind this can have user impact within your Office and Microsoft 365 environment. You may however test autolabeling on database columns without user impact. + > [!WARNING] + > If you haven't configured autolabeling for files and emails on your sensitivity labels, users might be affected within your Office and Microsoft 365 environment. You can test autolabeling on database columns without affecting users. -- If you are defining new autolabeling rules for files when configuring labels for Azure Purview, make sure that you have the condition for applying the label set appropriately. +- If you're defining new autolabeling rules for files when you configure labels for Azure Purview, make sure that you have the condition for applying the label set appropriately. - You can set the detection criteria to All of these or Any of these in the upper right of the autolabeling for files and emails page of the label properties.-- The default setting for detection criteria is All of these which means that the asset must contain all of the specified sensitive info types for the label to be applied. While the default setting may be valid in some instances, many customers prefer to change the setting to Any of these meaning that if at least one of them is found the label is applied.- +- The default setting for detection criteria is All of these. This setting means that the asset must contain all the specified sensitive information types for the label to be applied. While the default setting might be valid in some instances, many customers want to use Any of these. Then if at least one asset is found, the label is applied. -> [!NOTE] -> Microsoft 365 Trainable classifiers are not used by Azure Purview + :::image type="content" source="media/concept-best-practices/label-detection-criteria.png" alt-text="Screenshot that shows detection criteria for a label."::: -- For consistency in labeling across your data estate, if you are using autolabeling rules for files, it is recommended that you use the same sensitive information types for autolabeling database columns. + > [!NOTE] + > Microsoft 365 trainable classifiers aren't used by Azure Purview. -- [Define your sensitivity labels via Microsoft information Protection is recommended to identify your Personal Identifiable Information at central place](/microsoft-365/compliance/information-protection).-- [Use Policy templates as a starting point to build your rulesets](/microsoft-365/compliance/what-the-dlp-policy-templates-include#general-data-protection-regulation-gdpr).-- [Combine Data Classifications to an individual Ruleset](./supported-classifications.md).-- [Force Labeling by using auto label functionality](./how-to-automatically-label-your-content.md).-- Build groups of Sensitivity Labels and store them as dedicated Sensitivity Label Policy ΓÇô for example store all required Sensitivity Labels for Regulatory Rules by using the same Sensitivity Label Policy to publish.-- Capture all test cases for your labels and test your Label policies with all applications you want to secure.-- Promote Sensitivity Label Policies to Azure Purview.-- Run test scans from Azure Purview on different Data Sources (for Example Hybrid-Cloud, On-Premise) to identify Sensitivity Labels.-- Gather and consider insights (for example by using Azure Purview insights) and use alerting mechanism to mitigate potential breaches of Regulations. +- Maintain consistency in labeling across your data estate. If you use autolabeling rules for files, use the same sensitive information types for autolabeling database columns. +- [Define your sensitivity labels via Microsoft Information Protection to identify your personal data at a central place](/microsoft-365/compliance/information-protection). +- [Use policy templates as a starting point to build your rule sets](/microsoft-365/compliance/what-the-dlp-policy-templates-include#general-data-protection-regulation-gdpr). +- [Combine data classifications to an individual rule set](./supported-classifications.md). +- [Force labeling by using autolabel functionality](./how-to-automatically-label-your-content.md). +- Build groups of sensitivity labels and store them as a dedicated sensitivity label policy. For example, store all required sensitivity labels for regulatory rules by using the same sensitivity label policy to publish. +- Capture all test cases for your labels. Test your label policies with all applications you want to secure. +- Promote sensitivity label policies to Azure Purview. +- Run test scans from Azure Purview on different data sources like hybrid cloud and on-premises to identify sensitivity labels. +- Gather and consider insights, for example, by using Azure Purview Insights. Use alerting mechanisms to mitigate potential breaches of regulations. -By using Sensitivity Labels with Azure Purview you are able to extend your Microsoft Information Protection beyond the border of Microsoft Data Estate to your On-prem, Hybrid-Could, Multi-Cloud and SaaS Scenarios. +By using sensitivity labels with Azure Purview, you can extend Microsoft Information Protection beyond the border of your Microsoft data estate to your on-premises, hybrid cloud, multicloud, and software as a service (SaaS) scenarios. ## Next steps - [Get started with sensitivity labels](/microsoft-365/compliance/get-started-with-sensitivity-labels).--- [How to automatically apply sensitivity labels to your data in Azure Purview](how-to-automatically-label-your-content.md). +- [Automatically apply sensitivity labels to your data in Azure Purview](how-to-automatically-label-your-content.md).
purview	Concept Self Service Data Access Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/purview/concept-self-service-data-access-policy.md	+ + Title: Azure Purview Self-service access concepts +description: Understand what self-service access and data discovery are in Azure Purview, and explore how users can take advantage of it. +++++ Last updated : 03/10/2022++ +# Azure Purview Self-service data discovery and access (Preview) + +This article helps you understand Azure Purview Self-service data access policy. + +> [!IMPORTANT] +> Azure Purview Self-service data access policy is currently in PREVIEW. The [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. + +## Important limitations + +The self-service data access policy is only supported when the prerequisites mentioned in [data use governance](./how-to-enable-data-use-governance.md) are satisfied. + +## Overview + +Azure Purview Self-service data access workflow allows data consumer to request access to data when browsing or searching for data. Once the data access request is approved, a policy gets auto-generated to grant access to the requestor provided the data source is enabled for data use governance. Currently, self-service data access policy is supported for storage accounts, containers, folders, and files. + +A workflow admin will need to map a self-service data access workflow to a collection. Collection is logical grouping of data sources that are registered within Azure Purview. Only data source(s) that are registered for data use governance will have self-service policies auto-generated. + +## Terminology + +* Data consumer is anyone who uses the data. Example, a data analyst accessing marketing data for customer segmentation. Data consumer and data requestor will be used interchangeably within this document. + +* Collection is logical grouping of data sources that are registered within Azure Purview. + +* Self-service data access workflow is the workflow that is initiated when a data consumer requests access to data. + +* Approver is either security group or AAD users that can approve self-service access requests. + +## How to use Azure Purview self-service data access policy + +Azure Purview allows organizations to catalog metadata about all registered data assets. It allows data consumers to search for or browse to the required data asset. + +With self-service data access workflow, data consumers can not only find data assets but also request access to the data assets. When the data consumer requests access to a data asset, the associated self-service data access workflow is triggered. + +A default self-service data access workflow template is provided with every Azure Purview account.The default template can be amended to add more approvers and/or set the approver's email address. For more details refer [Create and enable self-service data access workflow](./how-to-workflow-self-service-data-access-hybrid.md). + +Whenever a data consumer requests access to a dataset, the notification is sent to the workflow approver(s). The approver(s) can view the request and approve it either from Azure purview portal or from within the email notification. When the request is approved, a policy is auto-generated and applied against the respective, data source. self-service data access Policy gets auto-generated only if the data source is registered for data use governance. The pre-requisites mentioned within the [data use governance](./how-to-enable-data-use-governance.md) have to be satisfied. + +## Next steps + +If you would like to preview these features in your environment, follow the link below. +- [Enable data use governance](./how-to-enable-data-use-governance.md) +- [create self-service data access workflow](./how-to-workflow-self-service-data-access-hybrid.md) +- [working with policies at file level](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-file-level-permission/ba-p/3102166) +- [working with policies at folder level](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-folder-level-permission/ba-p/3109583)
purview	How To Delete Self Service Data Access Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/purview/how-to-delete-self-service-data-access-policy.md	+ + Title: Delete self-service policies +description: This article describes how to delete auto-generated self-service policies +++++ Last updated : 09/27/2021+ +# How to delete self-service data access policies + +In an Azure Purview catalog, you can now request access to datasets and self-service policies get auto-generated if the data source is enabled for data use governance. + +This guide describes how to delete self-service data access policies that have been auto-generated when data access request is approved. + +## Prerequisites + +> [!IMPORTANT] +> To delete self-service policies, make sure that the below prerequisites are completed. + +Self-service policies must exist for them to be deleted. Refer to the articles below to create +self-service policies + +- [Enable Data Use Governance](./how-to-enable-data-use-governance.md) +- [Create a self-service data access workflow](./how-to-workflow-self-service-data-access-hybrid.md) +- [Approve self-service data access request](how-to-workflow-manage-requests-approvals.md) + +## Permission + +Only users with Policy Admin privilege can delete self-service data access policies. + +## Steps to delete self-service data access policies + +### Step 1: Open the Azure portal and launch the Azure purview studio + +The Azure Purview studio can be launched as shown below or by using using the url directly. ++ +### Step 2: Open the policy management tab + +Click the policy management tab to launch the self-service access policies. ++ +### Step 3: Open the self-service access policies tab +++ +### Step 4: Select the policies to be deleted + +The policies can be sorted by the different fields. once sorted, select the policies that need to be deleted. ++ +### Step 5: Delete the policy + +Click the delete button to delete policies that need to be removed. ++ +click OK on the confirmation dialog box to delete the policy. Refresh the screen to check whether the policies have been deleted. + +## Next steps + +- [Self-service data access policy](./concept-self-service-data-access-policy.md)
purview	How To View Self Service Data Access Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/purview/how-to-view-self-service-data-access-policy.md	+ + Title: View self-service policies +description: This article describes how to view auto-generated self-service policies +++++ Last updated : 09/27/2021+ +# How to view self-service data access policies + +In an Azure Purview catalog, you can now request access to datasets and self-service policies get auto-generated if the data source is enabled for data use governance. + +This guide describes how to view self-service data access policies that have been auto-generated when data access request is approved. + +## Prerequisites + +> [!IMPORTANT] +> To view self-service policies, make sure that the below prerequisites are completed. + +Self-service policies must exist for them to be viewed. Refer to the articles below to create +self-service policies + +- [Enable Data Use Governance](./how-to-enable-data-use-governance.md) +- [Create a self-service data access workflow](./how-to-workflow-self-service-data-access-hybrid.md) +- [Approve self-service data access request](how-to-workflow-manage-requests-approvals.md) + +## Permission + +Only users with Policy Admin privilege can delete self-service data access policies. + +## Steps to view self-service data access policies + +### Step 1: Open the Azure portal and launch the Azure purview studio + +The Azure Purview studio can be launched as shown below or by using using the url directly. ++ +### Step 2: Open the policy management tab + +Click the policy management tab to launch the self-service access policies. ++ +### Step 3: Open the self-service access policies tab +++ +### Step 4: View the self-service policies + +The policies can be sorted by the different fields.The policy can be filtered based on data source type and sorted by any of the columns on display ++ +## Next steps + +- [Self-service data access policy](./concept-self-service-data-access-policy.md)
purview	Tutorial Purview Audit Logs Diagnostics	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/purview/tutorial-purview-audit-logs-diagnostics.md	Title: Enable and Capture Azure Purview Audit Logs and time series activity history via Azure Diagnostics Event Hubs -description: This tutorial lists step-by-step configuration on how to enable and capture Azure Purview Audit Logs and time series activity history via Diagnostics Event Hubs. + Title: Enable and capture Azure Purview audit logs and time series activity history via Azure Diagnostics event hubs +description: This tutorial lists the step-by-step configuration required to enable and capture Azure Purview audit logs and time series activity history via Azure Diagnostics event hubs. Last updated 02/10/2022 -# Azure Purview: Audit Logs, Diagnostics & Activity History +# Azure Purview: Audit logs, diagnostics, and activity history -This guide lists step-by-step configuration on how to enable and capture Azure Purview Audit & Diagnostics Logs via Azure Event Hubs. +This tutorial lists the step-by-step configuration required to enable and capture Azure Purview audit and diagnostics logs via Azure Event Hubs. -An Azure Purview administrator or Azure Purview data-source admin needs the ability to monitor audit and diagnostics logs captured from an [Azure Purview](https://azure.microsoft.com/services/purview/#get-started) service. Audit and diagnostics information consists of timestamped history of actions taken and changes made on the Azure Purview account by every user. Captured activity history includes actions in the [Azure Purview portal](https://ms.web.purview.azure.com) and outside the portal (such as calling [Azure Purview REST APIs](/rest/api/purview/) to perform write operations). +An Azure Purview administrator or Azure Purview data-source admin needs the ability to monitor audit and diagnostics logs captured from [Azure Purview](https://azure.microsoft.com/services/purview/#get-started). Audit and diagnostics information consists of the timestamped history of actions taken and changes made to an Azure Purview account by every user. Captured activity history includes actions in the [Azure Purview portal](https://ms.web.purview.azure.com) and outside the portal. Actions outside the portal include calling [Azure Purview REST APIs](/rest/api/purview/) to perform write operations. -This guide will take you through the steps to enable audit logging on Azure Purview, amd how to configure and capture streaming audit events from Azure Purview via Azure Diagnostics Event Hubs service. +This tutorial takes you through the steps to enable audit logging on Azure Purview. It also shows you how to configure and capture streaming audit events from Azure Purview via Azure Diagnostics event hubs. -## Azure Purview Audit History - Categorization of Events +## Azure Purview audit events categories Some of the important categories of Azure Purview audit events that are currently available for capture and analysis are listed in the table. -More types and categories of activity audit events are being added to Azure Purview in the coming months. +More types and categories of activity audit events will be added to Azure Purview. \| Category \| Activity \| Operation \| \|\|\|--\| -\| Management \| Scan Rule Set \| Create \| -\| Management \| Scan Rule Set \| Update \| -\| Management \| Scan Rule Set \| Delete \| -\| Management \| Classification Rule \| Create \| -\| Management \| Classification Rule \| Update \| -\| Management \| Classification Rule \| Delete \| +\| Management \| Scan rule set \| Create \| +\| Management \| Scan rule set \| Update \| +\| Management \| Scan rule set \| Delete \| +\| Management \| Classification rule \| Create \| +\| Management \| Classification rule \| Update \| +\| Management \| Classification rule \| Delete \| \| Management \| Scan \| Create \| \| Management \| Scan \| Update \| \| Management \| Scan \| Delete \| More types and categories of activity audit events are being added to Azure Purv \| Management \| Scan \| Cancel \| \| Management \| Scan \| Create \| \| Management \| Scan \| Schedule \| -\| Management \| Data Source \| Register \| -\| Management \| Data Source \| Update \| -\| Management \| Data Source \| Delete \| +\| Management \| Data source \| Register \| +\| Management \| Data source \| Update \| +\| Management \| Data source \| Delete \| -## Enable Azure Purview Audit & Diagnostics +## Enable Azure Purview audit and diagnostics -### Configure Azure Event Hubs +The following sections walk you through the process of enabling Azure Purview audit and diagnostics. -Create an [Azure Event Hubs Namespace using Azure ARM Template (GitHub)](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.eventhub/eventhubs-create-namespace-and-enable-capture). While this automated Azure ARM Template will deploy and finish creating your Event Hubs with the required configuration; follow these guides for more detailed step by step explanations and manual setup: [Azure Event Hubs: Use Azure Resource Manager Template to enable Event Hubs capture](../event-hubs/event-hubs-resource-manager-namespace-event-hub-enable-capture.md) and [Azure Event Hubs: Enable capturing of events streaming manually using Azure portal](../event-hubs/event-hubs-capture-enable-through-portal.md) +### Configure Event Hubs -### Connect Azure Purview Account to Diagnostics Event Hubs +Create an [Azure Event Hubs namespace by using an Azure Resource Manager (ARM) template (GitHub)](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.eventhub/eventhubs-create-namespace-and-enable-capture). This automated Azure ARM template will deploy and finish creating your Event Hubs instance with the required configuration. -Now that Event Hubs is deployed and created, connect Azure Purview diagnostics audit logging to this Event Hubs: +For step-by-step explanations and manual setup: -1. Go To your Azure Purview Account home page (where the overview information is displayed, not the Azure Purview Studio home page.) and follow instructions as detailed below. +- [Event Hubs: Use an ARM template to enable Event Hubs capture](../event-hubs/event-hubs-resource-manager-namespace-event-hub-enable-capture.md) +- [Event Hubs: Enable capturing of events streaming manually by using the Azure portal](../event-hubs/event-hubs-capture-enable-through-portal.md) -1. Select "Monitoring" -> "Diagnostic Settings" in the left navigation menu. +### Connect an Azure Purview account to Diagnostics event hubs - :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-e.png" alt-text="Click Azure Purview Diagnostic Settings" lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-e.png"::: +Now that Event Hubs is deployed and created, connect Azure Purview diagnostics audit logging to Event Hubs. -1. Select "Add Diagnostic Settings" or "Edit Setting". Adding more than one row of diagnostic setting in the context of Azure Purview isn't recommended. In other words, if you already have a diagnostic setting row added, don't select "Add Diagnostic"; select "Edit" instead. +1. Go to your Azure Purview account home page. This page is where the overview information is displayed. It's not the Azure Purview Studio home page. - :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-f.png" alt-text="Add or Edit Diagnostic Settings screen." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-f.png"::: +1. On the left menu, select Monitoring > Diagnostic settings. -1. Ensure to select checkbox "audit" and "allLogs" to enable collection of Azure Purview audit logs. Optionally, select "allMetrics" if you wish to capture DataMap Capacity Units and Data Map size metrics of the Azure Purview account as well. + :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-e.png" alt-text="Screenshot that shows selecting Diagnostic settings." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-e.png"::: - :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-g.png" alt-text="Configure Azure Purview Diagnostic settings - select diagnostics types" lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-g.png"::: +1. Select Add diagnostic setting or Edit setting. Adding more than one diagnostic setting row in the context of Azure Purview isn't recommended. In other words, if you already have a diagnostic setting row, don't select Add diagnostic. Select Edit instead. -1. Diagnostics Configuration on the Azure Purview account is complete. + :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-f.png" alt-text="Screenshot that shows the Add or Edit Diagnostic settings screen." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-f.png"::: -Now that Azure Purview diagnostics audit logging configuration is complete, configure the data capture and data retention settings for the Event Hubs: +1. Select the audit and allLogs checkboxes to enable collection of Azure Purview audit logs. Optionally, select AllMetrics if you also want to capture Data Map capacity units and Data Map size metrics of the Azure Purview account. -1. Go to [Azure portal](https://portal.azure.com) home page and search the name of the Event Hubs Namespace you created earlier. + :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-g.png" alt-text="Screenshot that shows configuring Azure Purview Diagnostic settings and selecting diagnostic types." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-g.png"::: -1. Navigate to the Event Hubs Namespace. Select the Event Hubs and select "Capture Data". +Diagnostics configuration on the Azure Purview account is complete. -1. Supply the name of the Event Hubs Namespace and the Event Hubs where you would like the audit and diagnostics to be captured and streamed. Modify the "Time Window" and "Size Window" values for retention period of streaming events. Select Save. +Now that Azure Purview diagnostics audit logging configuration is complete, configure the data capture and data retention settings for Event Hubs. - :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-h.png" alt-text="Capture Settings on Event Hubs Namespace and Event Hubs." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-h.png"::: +1. Go to the [Azure portal](https://portal.azure.com) home page, and search for the name of the Event Hubs namespace you created earlier. -1. Optionally, go to "Properties" on the left navigation menu and change the "Message Retention" to any value between 1-7 days. Retention period value depends on the frequency of scheduled jobs/scripts you've created to continuously listen and capture the streaming events. If you schedule a capture once every week, take the slider to seven days. +1. Go to the Event Hubs namespace. Select Event Hubs > Capture Data. - :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-i.png" alt-text="Event Hubs properties - message retention period." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-i.png"::: +1. Supply the name of the Event Hubs namespace and the event hub where you want the audit and diagnostics to be captured and streamed. Modify the Time Window and Size Window values for the retention period of the streaming events. Select Save. -1. At this stage, the Event Hubs configuration will be complete. Azure Purview will start streaming all its audit history and diagnostics data to this Event Hubs. You can now proceed to read, extract and perform further analytics and operations on the captured diagnostics and audit events. + :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-h.png" alt-text="Screenshot that shows Capture settings on the Event Hubs namespace and Event Hubs." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-h.png"::: -### Reading captured "audit" events +1. Optionally, on the left menu, go to Properties and change Message Retention to any value between one and seven days. The retention period value depends on the frequency of scheduled jobs or the scripts you've created to continuously listen and capture the streaming events. If you schedule a capture once every week, move the slider to seven days. -Analyzing and making sense of the captured Audit and Diagnostics log data from Azure Purview: + :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-i.png" alt-text="Screenshot that shows Event Hubs Properties message retention period." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-i.png"::: -1. Navigate to "Process Data" on the Event Hubs page to see a preview of the captured Azure Purview audit logs and diagnostics. +1. At this stage, the Event Hubs configuration is complete. Azure Purview will start streaming all its audit history and diagnostics data to this event hub. You can now proceed to read, extract, and perform further analytics and operations on the captured diagnostics and audit events. + +### Read captured audit events + +To analyze the captured audit and diagnostics log data from Azure Purview: + +1. Go to Process data on the Event Hubs page to see a preview of the captured Azure Purview audit logs and diagnostics. - :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-d.png" alt-text="Configure Event Hubs - Process Data." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-d.png"::: + :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-d.png" alt-text="Screenshot that shows configuring Event Hubs Process data." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-d.png"::: - :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-c.png" alt-text="Navigating Azure Event Hubs." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-c.png"::: + :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-c.png" alt-text="Screenshot that shows navigating Event Hubs." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-c.png"::: -1. Switch between "Table" and "Raw" view of the JSON output. +1. Switch between the Table and Raw views of the JSON output. - :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-a.png" alt-text="Explore Azure Purview Audit Events on Event Hubs." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-a.png"::: + :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-a.png" alt-text="Screenshot that shows exploring Azure Purview audit events on Event Hubs." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-a.png"::: -1. Select "Download Sample Data" to download and analyze the results carefully. +1. Select Download sample data and analyze the results carefully. - :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-b.png" alt-text="Query and Process Azure Purview Audit data on Event Hubs." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-b.png"::: + :::image type="content" source="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-b.png" alt-text="Screenshot that shows Query and Process Azure Purview Audit data on Event Hubs." lightbox="./media/tutorial-purview-audit-logs-diagnostics/azure-purview-diagnostics-audit-eventhub-b.png"::: Now that you know how to gather this information, you can use automatic, scheduled scripts to extract, read, and perform further analytics on the Event Hubs audit and diagnostics data. You can even build your own utilities and custom code to extract business value from captured audit events. -These audit logs can also be transformed to Excel, any database, Dataverse, or Synapse Analytics database, for analytics and reporting using Power BI. +These audit logs can also be transformed to Excel, any database, Dataverse, or Synapse Analytics database for analytics and reporting by using Power BI. -While you're free to use any programming or scripting language of your choice to read the Event Hubs, here's one ready-made [Python-based script](https://github.com/Azure/Azure-Purview-API-PowerShell/blob/main/purview_atlas_eventhub_sample.py). Python tutorial on how to [capture Event Hubs data in Azure Storage and read it by using Python (azure-eventhub)](../event-hubs/event-hubs-capture-python.md). +While you're free to use any programming or scripting language of your choice to read the event hubs, here's a ready-made [Python-based script](https://github.com/Azure/Azure-Purview-API-PowerShell/blob/main/purview_atlas_eventhub_sample.py). See this Python tutorial on how to [capture Event Hubs data in Azure Storage and read it by using Python (azure-eventhub)](../event-hubs/event-hubs-capture-python.md). ## Next steps -Kickstart your Azure Purview journey in less than 5 minutes. Enable Diagnostic Audit Logging from the beginning of your journey! +Enable diagnostic audit logging and kickstart your Azure Purview journey. + > [!div class="nextstepaction"] -> [Azure Purview: automated New Account Setup](https://aka.ms/PurviewKickstart) +> [Azure Purview: Automated new account setup](https://aka.ms/PurviewKickstart)
role-based-access-control	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure RBAC description: Lists Azure Policy Regulatory Compliance controls available for Azure role-based access control (Azure RBAC). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
search	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Cognitive Search description: Lists Azure Policy Regulatory Compliance controls available for Azure Cognitive Search. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
sentinel	Authentication Normalization Schema	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/authentication-normalization-schema.md	Title: Microsoft Sentinel Authentication normalization schema reference \| Microsoft Docs + Title: The Advanced Security Information Model (ASIM) Authentication normalization schema reference (Public preview) \| Microsoft Docs description: This article describes the Microsoft Sentinel Authentication normalization schema.-+ Last updated 11/09/2021--+ -# Microsoft Sentinel Authentication normalization schema reference (Public preview) +# The Advanced Security Information Model (ASIM) Authentication normalization schema reference (Public preview) [!INCLUDE [Banner for top of topics](./includes/banner.md)] An Actor, running an acting Application, ActingApp, on a source system, In the following tables, Type refers to a logical type. For more information, see [Logical types](normalization-about-schemas.md#logical-types). -### Common fields +### Common ASIM fields > [!IMPORTANT] -> Fields common to all schemas are described in the [ASIM schema overview](normalization-about-schemas.md#common). The following list mentions only fields that have specific guidelines for user management events. +> Fields common to all schemas are described in detail in the [ASIM Common Fields](normalization-common-fields.md) article. > +#### Common fields with specific guidelines + +The following list mentions fields that have specific guidelines for authentication events: + \| Field \| Class \| Type \| Description \| \|\|-\|\|--\| \| EventType \| Mandatory \| Enumerated \| Describes the operation reported by the record. <br><br>For Authentication records, supported values include: <br>- `Logon` <br>- `Logoff`\| -\| <a name ="eventresultdetails"></a>EventResultDetails \| Optional \| String \| One of the following values: <br><br>- `No such user or password`. This value should be used also when the original event reports that there is no such user, without reference to a password. <br>- `Incorrect password`<br>- `Account expired`<br>- `Password expired`<br>- `User locked`<br>- `User disabled`<br>- `Logon violates policy`. This value should be used when the original event reports, for example: MFA required, logon outside of working hours, conditional access restrictions, or too frequent attempts.<br>- `Session expired`<br>- `Other`<br><br>Note: The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the field [EventOriginalResultDetails](normalization-about-schemas.md#eventoriginalresultdetails)\| -\| EventSubType \| Optional \| String \| The sign-in type. Allowed values include: `System`, `Interactive`, `Service`, `RemoteInteractive`, `RemoteService`, `AssumeRole`. <br><br>Example: `Interactive`. Store the original value in [EventOriginalSubType](normalization-about-schemas.md#eventoriginalsubtype). \| +\| <a name ="eventresultdetails"></a>EventResultDetails \| Optional \| String \| One of the following values: <br><br>- `No such user or password`. This value should be used also when the original event reports that there is no such user, without reference to a password. <br>- `Incorrect password`<br>- `Account expired`<br>- `Password expired`<br>- `User locked`<br>- `User disabled`<br>- `Logon violates policy`. This value should be used when the original event reports, for example: MFA required, logon outside of working hours, conditional access restrictions, or too frequent attempts.<br>- `Session expired`<br>- `Other`<br><br>Note: The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the field [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails)\| +\| EventSubType \| Optional \| String \| The sign-in type. Allowed values include: `System`, `Interactive`, `Service`, `RemoteInteractive`, `RemoteService`, `AssumeRole`. <br><br>Example: `Interactive`. Store the original value in [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype). \| \| EventSchemaVersion \| Mandatory \| String \| The version of the schema. The version of the schema documented here is `0.1.1` \| -\| EventSchema \| Mandatory \| String \| The name of the schema documented here is Authentication. \| +\| EventSchema \| Optional \| String \| The name of the schema documented here is Authentication. \| \| Dvc fields\| - \| - \| For authentication events, device fields refer to the system reporting the event. \| \| \| \| \| \| +> [!IMPORTANT] +> The `EventSchema` field is currently optional but will become Mandatory on July 1st 2022. +> + +#### All common fields + +Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the [ASIM Common Fields](normalization-common-fields.md) article. + +\| Class \| Fields \| +\| \| - \| +\| Mandatory \| - [EventCount](normalization-common-fields.md#eventcount)<br> - [EventStartTime](normalization-common-fields.md#eventstarttime)<br> - [EventEndTime](normalization-common-fields.md#eventendtime)<br> - [EventType](normalization-common-fields.md#eventtype)<br>- [EventResult](normalization-common-fields.md#eventresult)<br> - [EventProduct](normalization-common-fields.md#eventproduct)<br> - [EventVendor](normalization-common-fields.md#eventvendor)<br> - [EventSchema](normalization-common-fields.md#eventschema)<br> - [EventSchemaVersion](normalization-common-fields.md#eventschemaversion)<br> - [Dvc](normalization-common-fields.md#dvc)<br>\| +\| Recommended \| - [EventResultDetails](normalization-common-fields.md#eventresultdetails)<br>- [EventSeverity](normalization-common-fields.md#eventseverity)<br> - [DvcIpAddr](normalization-common-fields.md#dvcipaddr)<br> - [DvcHostname](normalization-common-fields.md#dvchostname)<br> - [DvcDomain](normalization-common-fields.md#dvcdomain)<br>- [DvcDomainType](normalization-common-fields.md#dvcdomaintype)<br>- [DvcFQDN](normalization-common-fields.md#dvcfqdn)<br>- [DvcId](normalization-common-fields.md#dvcid)<br>- [DvcIdType](normalization-common-fields.md#dvcidtype)<br>- [DvcAction](normalization-common-fields.md#dvcaction)\| +\| Optional \| - [EventMessage](normalization-common-fields.md#eventmessage)<br> - [EventSubType](normalization-common-fields.md#eventsubtype)<br>- [EventOriginalUid](normalization-common-fields.md#eventoriginaluid)<br>- [EventOriginalType](normalization-common-fields.md#eventoriginaltype)<br>- [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype)<br>- [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails)<br> - [EventOriginalSeverity](normalization-common-fields.md#eventoriginalseverity) <br> - [EventProductVersion](normalization-common-fields.md#eventproductversion)<br> - [EventReportUrl](normalization-common-fields.md#eventreporturl)<br>- [DvcMacAddr](normalization-common-fields.md#dvcmacaddr)<br>- [DvcOs](normalization-common-fields.md#dvcos)<br>- [DvcOsVersion](normalization-common-fields.md#dvchostname)<br>- [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction)<br>- [DvcInterface](normalization-common-fields.md#dvcinterface)<br>- [AdditionalFields](normalization-common-fields.md#additionalfields)\| +\|\|\| + ### Authentication-specific fields
sentinel	Dhcp Normalization Schema	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/dhcp-normalization-schema.md	Title: Microsoft Sentinel DHCP normalization schema reference \| Microsoft Docs + Title: The Advanced Security Information Model (ASIM) DHCP normalization schema reference (Public preview) \| Microsoft Docs description: This article describes the Microsoft Sentinel DHCP normalization schema. -# Microsoft Sentinel DHCP normalization schema reference (Public preview) +# The Advanced Security Information Model (ASIM) DHCP normalization schema reference (Public preview) [!INCLUDE [Banner for top of topics](./includes/banner.md)] The ASIM DHCP schema represents DHCP server activity, including serving requests The most important fields in a DHCP event are [SrcIpAddr](#srcipaddr) and [SrcHostname](#srchostname), which the DHCP server binds by granting the lease, and are aliased by [IpAddr](#ipaddr) and [Hostname](#hostname) fields respectively. The [SrcMacAddr](#srcmacaddr) field is also important as it represents the client machine used when an IP address is not leased. -A DHCP server may reject a client, either due to the security concerns, or because of network saturation. It may also quarantine a client by leasing to it an IP address that would connect it to a limited network. The [EventResult](#eventresult), [EventResultDetails](#eventresultdetails) and [DvcAction](#dvcaction) fields provide information about the DHCP server response and action. +A DHCP server may reject a client, either due to the security concerns, or because of network saturation. It may also quarantine a client by leasing to it an IP address that would connect it to a limited network. The [EventResult](normalization-common-fields.md#eventresult), [EventResultDetails](normalization-common-fields.md#eventresultdetails) and [DvcAction](normalization-common-fields.md#dvcaction) fields provide information about the DHCP server response and action. A lease's duration is stored in the [DhcpLeaseDuration](#dhcpleaseduration) field. ASIM is aligned with the [Open Source Security Events Metadata (OSSEM)](https:// OSSEM does not have a DHCP schema comparable to the ASIM DHCP schema. -### Log Analytics fields +### Common ASIM fields -The following fields are generated by Log Analytics for each record, and you can override them when [creating a custom connector](create-custom-connector.md). - -\| Field \| Type \| Description \| -\| \| \| \| -\| <a name=timegenerated></a>TimeGenerated \| Date/time \| The time the event was generated by the reporting device. \| -\| \_ResourceId \| guid \| The Azure Resource ID of the reporting device or service, or the log forwarder resource ID for events forwarded using Syslog, CEF, or WEF. \| -\| Type \| String \| The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same [EventVendor](#eventvendor) and [EventProduct](#eventproduct) values.<br><br>For example, a Sysmon event can be collected either to the Event table or to the WindowsEvent table. \| -\| \| \| \| - -> [!NOTE] -> More Log Analytics fields, less related to security, are documented with [Azure Monitor](../azure-monitor/logs/log-standard-columns.md). -> +> [!IMPORTANT] +> Fields common to all schemas are described in detail in the [ASIM Common Fields](normalization-common-fields.md) article. +> -### Event fields +#### Common Fields with specific guidelines -Event fields are common to all schemas, and describe the activity itself and the reporting device. +The following list mentions fields that have specific guidelines for DHCP events: -\| Field \| Class \| Type \| Discussion \| +\| Field \| Class \| Type \| Description \| \| \| \| \| \| -\| EventMessage \| Optional \| String \| A general message or description, either included in or generated from the record. \| -\| EventCount \| Mandatory \| Integer \| The number of events described by the record.<br><br>This value is used when the source supports aggregation and a single record may represent multiple events.<br><br>For other sources, it should be set to `1`.<br><br>Example: `1`\| -\| EventStartTime \| Mandatory \| Date/time \| If the source supports aggregation and the record represents multiple events, use this field to specify the time that the first event was generated. <br><br>In other cases, alias the [TimeGenerated](#timegenerated) field. \| -\| EventEndTime \| Alias \|\| Alias to the [TimeGenerated](#timegenerated) field. \| \| EventType \| Mandatory \| Enumerated \| Indicate the operation reported by the record. <br><Br> Possible values are `Assign`, `Renew`, `Release` and `DNS Update`. <br><br>Example: `Assign`\| -\| <a name="eventresult"></a>EventResult \| Mandatory \| Enumerated \| One of the following values: `Success`, `Partial`, `Failure`, `NA` (Not Applicable).<br> <br>The value may be provided in the source record using different terms, which should be normalized to these values. Alternatively, the source may provide only the [EventResultDetails](#eventresultdetails) field, which should be analyzed to derive the EventResult value. When a client is quarantined by the DHCP server, this field should be set to `Partial`.<br><br>Example: `Success`\| -\| <a name="eventresultdetails"></a>EventResultDetails \| Alias \| \| Reason or details for the result reported in the EventResult](#eventresult) field. <br><Br> Possible values are `Exhausted`, `Quarantined`, and `Denied`. <br><br>Example: `Exhausted` \| -\| EventOriginalResultDetails \| Optional \| String \| The value provided in the original record for [EventResultDetails](#eventresultdetails), if provided by the source. For Windows DHCP server logs, store the QResult field value here. \| -\| EventOriginalUid \| Optional \| String \| A unique ID of the original record, if provided by the source. \| -\| EventOriginalType \| Optional \| String \| The original event type or ID, if provided by the source.<br><br>Example: `DNS Assign Failed` \| -\| <a name ="eventproduct"></a>EventProduct \| Mandatory \| String \| The product generating the event. This field may not be available in the source record, in which case it should be set by the parser. <br><br>Example: `DHCP Server` \| -\| EventProductVersion \| Optional \| String \| The version of the product generating the event. This field may not be available in the source record, in which case it should be set by the parser. <br><br>Example: `12.1` \| -\| <a name="eventvendor"></a>EventVendor \| Mandatory \| String \| The vendor of the product generating the event. This field may not be available in the source record, in which case it should be set by the parser.<br><br>Example: `Microsoft`\| \| EventSchemaVersion \| Mandatory \| String \| The version of the schema documented here is 0.1. \| \| EventSchema \| Mandatory \| String \| The name of the schema documented here is Dhcp. \| -\| EventReportUrl \| Optional \| String \| A URL provided in the event for a resource that provides more information about the event. \| -\| <a name="dvc"></a>Dvc \| Alias \| String \| A unique identifier of the DHCP server.<br><br>Example: `ContosoDc.Contoso.Azure`<br><br>This field may alias the [DvcFQDN](#dvcfqdn), [DvcId](#dvcid), [DvcHostname](#dvchostname), or [DvcIpAddr](#dvcipaddr) fields. For cloud sources, for which there is not apparent device, use the same value as the [Event Product](#eventproduct) field. \| -\| <a name="dvcipaddr"></a>DvcIpAddr \| Recommended \| IP address \| The IP address of the DHCP server.<br><br>Example: `2001:db8::ff00:42:8329` \| -\| <a name="dvchostname"></a>DvcHostname \| Mandatory \| String \| The hostname of the DHCP server, excluding domain information. If no device name is available, store the relevant IP address in this field.<br><br>Example: `DESKTOP-1282V4D` \| -\| <a name="dvcdomain"></a>DvcDomain \| Recommended \| String \| The domain of the DHCP server.<br><br>Example: `Contoso` \| -\| <a name="dvcdomaintype"></a>DvcDomainType \| Recommended \| Enumerated \| The type of [DvcDomain](#dvcdomain) , if known. Possible values include:<br>- `Windows (contoso\mypc)`<br>- `FQDN (docs.microsoft.com)`<br><br>Note: This field is required if the [DvcDomain](#dvcdomain) field is used. \| -\| <a name="dvcfqdn"></a>DvcFQDN \| Optional \| String \| The hostname of the DHCP server, including domain information when available. <br><br> Example: `Contoso\DESKTOP-1282V4D`<br><br>Note: This field supports both both traditional FQDN format and Windows domain\hostname format. The [DvcDomainType](#dvcdomaintype) field reflects the format used. \| -\| <a name="dvcid"></a>DvcId \| Optional \| String \| The ID of the DHCP server as reported in the record.<br><br>Example: `ac7e9755-8eae-4ffc-8a02-50ed7a2216c3` \| -\| DvcIdType \| Optional \| Enumerated \| The type of [DvcId](#dvcid), if known. Possible values include:<br> - `AzureResourceId`<br>- `MDEid`<br><br>If multiple IDs are available, use the first one from the list, and store the others using the field names DvcAzureResourceId and DvcMDEid respectively.<br><br>Note: This field is required if the [DvcId](#dvcid) field is used. \| -\| EventSeverity \| Optional \| Enumerated \| Set to `Low` if the DHCP server quarantined the client, and to `Medium` if the server blocked the client. Otherwise set to `Informational`. <br><br>Example: `Informational`\| -\| <a name="dvcaction"></a>DvcAction \| Optional \| Enumerated \| The action taken by the DHCP server. Possible values are `Allow`, `Deny`, and `Quarantine`.<br><br>Example: `Deny` \| -\| <a name="additionalfields"></a>AdditionalFields \| Optional \| Dynamic \| If your source provides other information worth preserving, either keep it with the original field names or create the AdditionalFields dynamic field, and add to the extra information as key/value pairs. \| +\| Dvc fields\| - \| - \| For DHCP events, device fields refer to the system that reports the DHCP event. \| \| \| \| \| \| +#### All common fields + +Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the [ASIM Common Fields](normalization-common-fields.md) article. + +\| Class \| Fields \| +\| \| - \| +\| Mandatory \| - [EventCount](normalization-common-fields.md#eventcount)<br> - [EventStartTime](normalization-common-fields.md#eventstarttime)<br> - [EventEndTime](normalization-common-fields.md#eventendtime)<br> - [EventType](normalization-common-fields.md#eventtype)<br>- [EventResult](normalization-common-fields.md#eventresult)<br> - [EventProduct](normalization-common-fields.md#eventproduct)<br> - [EventVendor](normalization-common-fields.md#eventvendor)<br> - [EventSchema](normalization-common-fields.md#eventschema)<br> - [EventSchemaVersion](normalization-common-fields.md#eventschemaversion)<br> - [Dvc](normalization-common-fields.md#dvc)<br>\| +\| Recommended \| - [EventResultDetails](normalization-common-fields.md#eventresultdetails)<br>- [EventSeverity](normalization-common-fields.md#eventseverity)<br> - [DvcIpAddr](normalization-common-fields.md#dvcipaddr)<br> - [DvcHostname](normalization-common-fields.md#dvchostname)<br> - [DvcDomain](normalization-common-fields.md#dvcdomain)<br>- [DvcDomainType](normalization-common-fields.md#dvcdomaintype)<br>- [DvcFQDN](normalization-common-fields.md#dvcfqdn)<br>- [DvcId](normalization-common-fields.md#dvcid)<br>- [DvcIdType](normalization-common-fields.md#dvcidtype)<br>- [DvcAction](normalization-common-fields.md#dvcaction)\| +\| Optional \| - [EventMessage](normalization-common-fields.md#eventmessage)<br> - [EventSubType](normalization-common-fields.md#eventsubtype)<br>- [EventOriginalUid](normalization-common-fields.md#eventoriginaluid)<br>- [EventOriginalType](normalization-common-fields.md#eventoriginaltype)<br>- [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype)<br>- [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails)<br> - [EventOriginalSeverity](normalization-common-fields.md#eventoriginalseverity) <br> - [EventProductVersion](normalization-common-fields.md#eventproductversion)<br> - [EventReportUrl](normalization-common-fields.md#eventreporturl)<br>- [DvcMacAddr](normalization-common-fields.md#dvcmacaddr)<br>- [DvcOs](normalization-common-fields.md#dvcos)<br>- [DvcOsVersion](normalization-common-fields.md#dvchostname)<br>- [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction)<br>- [DvcInterface](normalization-common-fields.md#dvcinterface)<br>- [AdditionalFields](normalization-common-fields.md#additionalfields)\| +\|\|\| +++ ### DHCP-specific fields The fields below are specific to DHCP events, but many are similar to fields in other schemas and follow the same naming convention.
sentinel	Dns Normalization Schema	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/dns-normalization-schema.md	Title: Microsoft Sentinel DNS normalization schema reference \| Microsoft Docs + Title: The Advanced Security Information Model (ASIM) DNS normalization schema reference (Public preview) \| Microsoft Docs description: This article describes the Microsoft Sentinel DNS normalization schema.-+ Last updated 11/09/2021--+ -# Microsoft Sentinel DNS normalization schema reference (Public preview) +# The Advanced Security Information Model (ASIM) DNS normalization schema reference (Public preview) [!INCLUDE [Banner for top of topics](./includes/banner.md)] To filter only DNS queries for a specified list of domain names, use: let torProxies=dynamic(["tor2web.org", "tor2web.com", "torlink.co",...]); _Im_Dns (domain_has_any = torProxies) ``` +> [!TIP] +> To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/azure/data-explorer/kusto/query/scalar-data-types/dynamic#dynamic-literals.md). For example: `dynamic(['192.168.','10.'])`. +> ## Normalized content The DNS information model is aligned with the [OSSEM DNS entity schema](https:// For more information, see the [Internet Assigned Numbers Authority (IANA) DNS parameter reference](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml). -### Common fields +### Common ASIM fields > [!IMPORTANT] -> Fields common to all schemas are described in the [ASIM schema overview](normalization-about-schemas.md#common). The following list mentions only fields that have specific guidelines for DNS events. +> Fields common to all schemas are described in detail in the [ASIM Common Fields](normalization-common-fields.md) article. > ++ +#### Common fields with specific guidelines + +The following list mentions fields that have specific guidelines for DNS events: + \| Field \| Class \| Type \| Description \| \| \| \| \| \| \| EventType \| Mandatory \| Enumerated \| Indicates the operation reported by the record. <br><br> For DNS records, this value would be the [DNS op code](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml). <br><br>Example: `lookup`\| For more information, see the [Internet Assigned Numbers Authority (IANA) DNS pa \| Dvc fields\| - \| - \| For DNS events, device fields refer to the system that reports the DNS event. \| \| \| \| \| \| +#### All common fields + +Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the [ASIM Common Fields](normalization-common-fields.md) article. + +\| Class \| Fields \| +\| \| - \| +\| Mandatory \| - [EventCount](normalization-common-fields.md#eventcount)<br> - [EventStartTime](normalization-common-fields.md#eventstarttime)<br> - [EventEndTime](normalization-common-fields.md#eventendtime)<br> - [EventType](normalization-common-fields.md#eventtype)<br>- [EventResult](normalization-common-fields.md#eventresult)<br> - [EventProduct](normalization-common-fields.md#eventproduct)<br> - [EventVendor](normalization-common-fields.md#eventvendor)<br> - [EventSchema](normalization-common-fields.md#eventschema)<br> - [EventSchemaVersion](normalization-common-fields.md#eventschemaversion)<br> - [Dvc](normalization-common-fields.md#dvc)<br>\| +\| Recommended \| - [EventResultDetails](normalization-common-fields.md#eventresultdetails)<br>- [EventSeverity](normalization-common-fields.md#eventseverity)<br> - [DvcIpAddr](normalization-common-fields.md#dvcipaddr)<br> - [DvcHostname](normalization-common-fields.md#dvchostname)<br> - [DvcDomain](normalization-common-fields.md#dvcdomain)<br>- [DvcDomainType](normalization-common-fields.md#dvcdomaintype)<br>- [DvcFQDN](normalization-common-fields.md#dvcfqdn)<br>- [DvcId](normalization-common-fields.md#dvcid)<br>- [DvcIdType](normalization-common-fields.md#dvcidtype)<br>- [DvcAction](normalization-common-fields.md#dvcaction)\| +\| Optional \| - [EventMessage](normalization-common-fields.md#eventmessage)<br> - [EventSubType](normalization-common-fields.md#eventsubtype)<br>- [EventOriginalUid](normalization-common-fields.md#eventoriginaluid)<br>- [EventOriginalType](normalization-common-fields.md#eventoriginaltype)<br>- [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype)<br>- [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails)<br> - [EventOriginalSeverity](normalization-common-fields.md#eventoriginalseverity) <br> - [EventProductVersion](normalization-common-fields.md#eventproductversion)<br> - [EventReportUrl](normalization-common-fields.md#eventreporturl)<br>- [DvcMacAddr](normalization-common-fields.md#dvcmacaddr)<br>- [DvcOs](normalization-common-fields.md#dvcos)<br>- [DvcOsVersion](normalization-common-fields.md#dvchostname)<br>- [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction)<br>- [DvcInterface](normalization-common-fields.md#dvcinterface)<br>- [AdditionalFields](normalization-common-fields.md#additionalfields)\| +\|\|\| ### DNS-specific fields The fields listed in this section are specific to DNS events, although many are \| <a name="dstdvcid"></a>DstDvcId \| Optional \| String \| The ID of the destination device as reported in the record.<br><br>Example: `ac7e9755-8eae-4ffc-8a02-50ed7a2216c3` \| \| DstDvcIdType \| Optional \| Enumerated \| The type of [DstDvcId](#dstdvcid), if known. Possible values include:<br> - `AzureResourceId`<br>- `MDEidIf`<br><br>If multiple IDs are available, use the first one from the list above, and store the others in the DstDvcAzureResourceId or DstDvcMDEid fields, respectively.<br><br>Required if DstDeviceId is used.\| \| DstDeviceType \| Optional \| Enumerated \| The type of the destination device. Possible values include:<br>- `Computer`<br>- `Mobile Device`<br>- `IOT Device`<br>- `Other` \| -\| <a name=query></a>DnsQuery \| Mandatory \| FQDN \| The domain that the request tries to resolve. <br><br>Note: Some sources send the query in different formats. For example, in the DNS protocol itself, the query includes a dot (.)at the end, which must be removed.<br><br>While the DNS protocol allows for multiple queries in a single request, this scenario is rare, if it's found at all. If the request has multiple queries, store the first one in this field, and then and optionally keep the rest in the [AdditionalFields](normalization-about-schemas.md#additionalfields) field.<br><br>Example: `www.malicious.com` \| +\| <a name=query></a>DnsQuery \| Mandatory \| FQDN \| The domain that the request tries to resolve. <br><br>Note: Some sources send the query in different formats. For example, in the DNS protocol itself, the query includes a dot (.)at the end, which must be removed.<br><br>While the DNS protocol allows for multiple queries in a single request, this scenario is rare, if it's found at all. If the request has multiple queries, store the first one in this field, and then and optionally keep the rest in the [AdditionalFields](normalization-common-fields.md#additionalfields) field.<br><br>Example: `www.malicious.com` \| \| Domain \| Alias \| \| Alias to [DnsQuery](#query). \| \| DnsQueryType \| Optional \| Integer \| The [DNS Resource Record Type codes](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml). <br><br>Example: `28`\| \| DnsQueryTypeName \| Recommended \| Enumerated \| The [DNS Resource Record Type](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml) names. <br><br>Note: IANA doesn't define the case for the values, so analytics must normalize the case as needed. If the source provides only a numerical query type code and not a query type name, the parser must include a lookup table to enrich with this value.<br><br>Example: `AAAA`\|
sentinel	File Event Normalization Schema	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/file-event-normalization-schema.md	Title: Microsoft Sentinel File Event normalization schema reference \| Microsoft Docs + Title: The Advanced Security Information Model (ASIM) File Event normalization schema reference (Public preview)\| Microsoft Docs description: This article describes the Microsoft Sentinel File Event normalization schema. -# Microsoft Sentinel File Event normalization schema reference (Public preview) +# The Advanced Security Information Model (ASIM) File Event normalization schema reference (Public preview) [!INCLUDE [Banner for top of topics](./includes/banner.md)] For more information, see [Create custom analytics rules to detect threats](dete The File Event information model is aligned to the [OSSEM Process entity schema](https://github.com/OTRF/OSSEM/blob/master/docs/cdm/entities/file.md). -### Log Analytics fields +### Common fields -The following fields are generated by Log Analytics for each record, and can be overridden when creating a custom connector. - -\| Field \| Type \| Discussion \| -\| - \| -- \| -- \| -\| <a name="timegenerated"></a>TimeGenerated \| datetime \| The time the event was generated by the reporting device.\| -\| _ResourceId \| guid \| The Azure Resource ID of the reporting device or service, or the log forwarder resource ID for events forwarded using Syslog, CEF, or WEF. \| -\| Type \| String \| The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values.<br><br>For example, a Sysmon event can be collected either to the Event table or to the WindowsEvent table. \| -\| \| \| \| - -> [!NOTE] -> Log Analytics also adds other fields that are less relevant to security use cases. For more information, see [Standard columns in Azure Monitor Logs](../azure-monitor/logs/log-standard-columns.md). +> [!IMPORTANT] +> Fields common to all schemas are described in detail in the [ASIM Common Fields](normalization-common-fields.md) article. > -## Event fields +#### Fields with specific guidelines for the DNS schema -Event fields are common to all schemas and describe the activity itself and the reporting device. +The following list mentions fields that have specific guidelines for File activity events: -\| Field \| Class \| Type \| Description \| -\|\|-\|\|--\| -\| EventMessage \| Optional \| String \| A general message or description, either included in or generated from the record. \| -\| EventCount \| Mandatory \| Integer \| The number of events described by the record. <br><br>This value is used when the source supports aggregation, and a single record may represent multiple events. <br><br>For other sources, set to `1`. \| -\| EventStartTime \| Mandatory \| Date/time \| If the source supports aggregation and the record represents multiple events, this field specifies the time that the first event was generated. Otherwise, this field aliases the [TimeGenerated](#timegenerated) field. \| -\| EventEndTime \| Mandatory \| Alias \| Alias to the [TimeGenerated](#timegenerated) field. \| +\| Field \| Class \| Type \| Description \| +\| \| \| \| \| \| EventType \| Mandatory \| Enumerated \| Describes the operation reported by the record. <br><br>For File records, supported values include: <br><br>- `FileCreated`<br>- `FileModified`<br>- `FileDeleted`<br>- `FileRenamed`<br>- `FileCopied`<br>- `FileMoved`<br>- `FolderCreated`<br>- `FolderDeleted` \| -\| EventResult \| Mandatory \| Enumerated \| Describes the result of the event, normalized to one of the following supported values: <br><br>- `Success`<br>- `Partial`<br>- `Failure`<br>- `NA` (not applicable) <br><br>The source may provide only a value for the [EventOriginalResultDetails](#eventoriginalresultdetails) field, which must be analyzed to get the EventResult value. \| -\| <a name="eventoriginalresultdetails"></a>EventOriginalResultDetails \| Optional \| String \| Describes the result of the event. <br><br>Note: This value is not normalized, and is intended for the original value as provided by the data source. There is currently no related, normalized field, such as EventResultDetails, for the File Event normalization schema. \| -\| EventOriginalUid \| Optional \| String \| A unique ID of the original record, if provided by the source.<br><br>Example: `69f37748-ddcd-4331-bf0f-b137f1ea83b`\| -\| EventOriginalType \| Optional \| String \| The original event type or ID, if provided by the source.<br><br>Example: `4663`\| -\| <a name ="eventproduct"></a>EventProduct \| Mandatory \| String \| The product generating the event. <br><br>Example: `Sysmon`<br><br>Note: This field may not be available in the source record. In such cases, this field must be set by the parser. \| -\| EventProductVersion \| Optional \| String \| The version of the product generating the event. <br><br>Example: `12.1`<br><br>Note: This field may not be available in the source record. In such cases, this field must be set by the parser. \| -\| EventVendor \| Mandatory \| String \| The vendor of the product generating the event. <br><br>Example: `Microsoft` <br><br>Note: This field may not be available in the source record. In such cases, this field must be set by the parser. \| +\| EventSchema \| Optional \| String \| The name of the schema documented here is FileEvent. \| \| EventSchemaVersion \| Mandatory \| String \| The version of the schema. The version of the schema documented here is `0.1` \| -\| EventReportUrl \| Optional \| String \| A URL provided in the event for a resource that provides additional information about the event.\| -\| Dvc \| Alias \| String \| A unique identifier of the device on which the event occurred. <br><br>For example: `ContosoDc.Contoso.Azure`<br><br>This field may alias the [DvcId](#dvcid), [DvcHostname](#dvchostname), or [DvcIpAddr](#dvcipaddr) fields. For cloud sources, for which there is no apparent device, use the same value as the [EventProduct](#eventproduct) field. \| -\| <a name ="dvcipaddr"></a>DvcIpAddr \| Recommended \| IP Address \| The IP Address of the device on which the file event occurred. <br><br>Example: `45.21.42.12` \| -\| <a name ="dvchostname"></a>DvcHostname \| Recommended \| Hostname \| The hostname of the device on which the file event occurred. <br><br>Example: `ContosoDc.Contoso.Azure` \| -\| <a name ="dvcid"></a>DvcId \| Optional \| String \| The unique ID of the device on which the file event occurred. <br><br>Example: `41502da5-21b7-48ec-81c9-baeea8d7d669` \| -\| DvcMacAddr \| Optional \| MAC \| The MAC of device on which the file event occurred. <br><br>Example: `00:1B:44:11:3A:B7` \| -\| DvcOs \| Optional \| String \| The operating system running on the device on which the file event occurred. <br><br>Example: `Windows` \| -\| DvcOsVersion \| Optional \| String \| The version of the operating system on the device on which the file event occurred. <br><br>Example: `10` \| -\| AdditionalFields \| Optional \| Dynamic \| If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add to it the extra information as key/value pairs. \| +\| Dvc fields\| - \| - \| For File activity events, device fields refer to the system on which the file activity occurred. \| \| \| \| \| \| +> [!IMPORTANT] +> The `EventSchema` field is currently optional but will become Mandatory on September 1st 2022. +> + +#### All common fields + +Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the [ASIM Common Fields](normalization-common-fields.md) article. + +\| Class \| Fields \| +\| \| - \| +\| Mandatory \| - [EventCount](normalization-common-fields.md#eventcount)<br> - [EventStartTime](normalization-common-fields.md#eventstarttime)<br> - [EventEndTime](normalization-common-fields.md#eventendtime)<br> - [EventType](normalization-common-fields.md#eventtype)<br>- [EventResult](normalization-common-fields.md#eventresult)<br> - [EventProduct](normalization-common-fields.md#eventproduct)<br> - [EventVendor](normalization-common-fields.md#eventvendor)<br> - [EventSchema](normalization-common-fields.md#eventschema)<br> - [EventSchemaVersion](normalization-common-fields.md#eventschemaversion)<br> - [Dvc](normalization-common-fields.md#dvc)<br>\| +\| Recommended \| - [EventResultDetails](normalization-common-fields.md#eventresultdetails)<br>- [EventSeverity](normalization-common-fields.md#eventseverity)<br> - [DvcIpAddr](normalization-common-fields.md#dvcipaddr)<br> - [DvcHostname](normalization-common-fields.md#dvchostname)<br> - [DvcDomain](normalization-common-fields.md#dvcdomain)<br>- [DvcDomainType](normalization-common-fields.md#dvcdomaintype)<br>- [DvcFQDN](normalization-common-fields.md#dvcfqdn)<br>- [DvcId](normalization-common-fields.md#dvcid)<br>- [DvcIdType](normalization-common-fields.md#dvcidtype)<br>- [DvcAction](normalization-common-fields.md#dvcaction)\| +\| Optional \| - [EventMessage](normalization-common-fields.md#eventmessage)<br> - [EventSubType](normalization-common-fields.md#eventsubtype)<br>- [EventOriginalUid](normalization-common-fields.md#eventoriginaluid)<br>- [EventOriginalType](normalization-common-fields.md#eventoriginaltype)<br>- [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype)<br>- [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails)<br> - [EventOriginalSeverity](normalization-common-fields.md#eventoriginalseverity) <br> - [EventProductVersion](normalization-common-fields.md#eventproductversion)<br> - [EventReportUrl](normalization-common-fields.md#eventreporturl)<br>- [DvcMacAddr](normalization-common-fields.md#dvcmacaddr)<br>- [DvcOs](normalization-common-fields.md#dvcos)<br>- [DvcOsVersion](normalization-common-fields.md#dvchostname)<br>- [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction)<br>- [DvcInterface](normalization-common-fields.md#dvcinterface)<br>- [AdditionalFields](normalization-common-fields.md#additionalfields)\| +\|\|\| ### File event specific fields For example: `JohnDoe` (Actor) uses `Windows File Explorer` (Acting proces \| \| \| \| \| - ## Path structure The path should be normalized to match one of the following formats. The format the value is normalized to will be reflected in the respective FilePathType field. The path should be normalized to match one of the following formats. The format \|URL \| `https://1drv.ms/p/s!Av04S_******we` \| Use when the file path is available as a URL. URLs are not limited to http* or https, and any value, including an FTP value, is valid. \| \| \| \| \| +## Schema updates +These are the changes in version 0.1.1 of the schema: +- Added the field `EventSchema` - currently optional, but will become mandatory on Sep 1st, 2022. ## Next steps
sentinel	Network Normalization Schema	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/network-normalization-schema.md	Title: Microsoft Sentinel Network Session normalization schema reference (preview) \| Microsoft Docs + Title: The Advanced Security Information Model (ASIM) Network Session normalization schema reference (Public preview) \| Microsoft Docs description: This article displays the Microsoft Sentinel Network Session normalization schema. -# Microsoft Sentinel Network Session normalization schema reference (preview) +# The Advanced Security Information Model (ASIM) Network Session normalization schema reference (Public preview) The Microsoft Sentinel Network Session normalization schema is used to describe an IP network activity. Network connections and network sessions are included. Such events are reported, for example, by operating systems, routers, firewalls, intrusion prevention systems, and web security gateways. The following filtering parameters are available: \| eventresult \| String \| Filter only network sessions with a specific EventResult value. \| \| \| \| \| -For example, to filter only web sessions for a specified list of domain names, use: +For example, to filter only network sessions for a specified list of domain names, use: ```kql let torProxies=dynamic(["tor2web.org", "tor2web.com", "torlink.co",...]); The descriptor `Dvc` is used for the reporting device, which is the local system ## Schema details -### Common fields +### Common ASIM fields > [!IMPORTANT] -> Fields common to all schemas are described in the [ASIM schema overview](normalization-about-schemas.md#common). The following list mentions only fields that have specific guidelines for network session events. +> Fields common to all schemas are described in detail in the [ASIM Common Fields](normalization-common-fields.md) article. > +#### Common fields with specific guidelines + +The following list mentions fields that have specific guidelines for Network Session events: + \| Field \| Class \| Type \| Description \| \|\|-\|\|--\| The descriptor `Dvc` is used for the reporting device, which is the local system \| EventResult \| Mandatory \| Enumerated \| If the source device does not provide an event result, EventResult should be based on the value of [DvcAction](#dvcaction). If [DvcAction](#dvcaction) is `Deny`, `Drop`, `Drop ICMP`, `Reset`, `Reset Source`, or `Reset Destination`<br>, EventResult should be `Failure`. Otherwise, EventResult should be `Success`. \| \| EventSchema \| Mandatory \| String \| The name of the schema documented here is `NetworkSession`. \| \| EventSchemaVersion \| Mandatory \| String \| The version of the schema. The version of the schema documented here is `0.2.2`. \| -\| <a name="dvcaction"></a>DvcAction \| Optional \| Enumerated \| The action taken on the network session. Supported values are:<br>- `Allow`<br>- `Deny`<br>- `Drop`<br>- `Drop ICMP`<br>- `Reset`<br>- `Reset Source`<br>- `Reset Destination`<br>- `Encrypt`<br>- `Decrypt`<br>- `VPNroute`<br><br>Note: The value might be provided in the source record by using different terms, which should be normalized to these values. The original value should be stored in the [DvcOriginalAction](normalization-about-schemas.md#dvcoriginalaction) field.<br><br>Example: `drop` \| +\| <a name="dvcaction"></a>DvcAction \| Optional \| Enumerated \| The action taken on the network session. Supported values are:<br>- `Allow`<br>- `Deny`<br>- `Drop`<br>- `Drop ICMP`<br>- `Reset`<br>- `Reset Source`<br>- `Reset Destination`<br>- `Encrypt`<br>- `Decrypt`<br>- `VPNroute`<br><br>Note: The value might be provided in the source record by using different terms, which should be normalized to these values. The original value should be stored in the [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction) field.<br><br>Example: `drop` \| \| EventSeverity \| Optional \| Enumerated \| If the source device does not provide an event severity, EventSeverity should be based on the value of [DvcAction](#dvcaction). If [DvcAction](#dvcaction) is `Deny`, `Drop`, `Drop ICMP`, `Reset`, `Reset Source`, or `Reset Destination`<br>, EventSeverity should be `Low`. Otherwise, EventSeverity should be `Informational`. \| \| DvcInterface \| \| \| The DvcInterface field should alias either the [DvcInboundInterface](#dvcinboundinterface) or the [DvcOutboundInterface](#dvcoutboundinterface) fields. \| \| Dvc fields\| \| \| For Network Session events, device fields refer to the system reporting the Network Session event. \| \| \| \| \| \| +#### All common fields + +Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the [ASIM Common Fields](normalization-common-fields.md) article. + +\| Class \| Fields \| +\| \| - \| +\| Mandatory \| - [EventCount](normalization-common-fields.md#eventcount)<br> - [EventStartTime](normalization-common-fields.md#eventstarttime)<br> - [EventEndTime](normalization-common-fields.md#eventendtime)<br> - [EventType](normalization-common-fields.md#eventtype)<br>- [EventResult](normalization-common-fields.md#eventresult)<br> - [EventProduct](normalization-common-fields.md#eventproduct)<br> - [EventVendor](normalization-common-fields.md#eventvendor)<br> - [EventSchema](normalization-common-fields.md#eventschema)<br> - [EventSchemaVersion](normalization-common-fields.md#eventschemaversion)<br> - [Dvc](normalization-common-fields.md#dvc)<br>\| +\| Recommended \| - [EventResultDetails](normalization-common-fields.md#eventresultdetails)<br>- [EventSeverity](normalization-common-fields.md#eventseverity)<br> - [DvcIpAddr](normalization-common-fields.md#dvcipaddr)<br> - [DvcHostname](normalization-common-fields.md#dvchostname)<br> - [DvcDomain](normalization-common-fields.md#dvcdomain)<br>- [DvcDomainType](normalization-common-fields.md#dvcdomaintype)<br>- [DvcFQDN](normalization-common-fields.md#dvcfqdn)<br>- [DvcId](normalization-common-fields.md#dvcid)<br>- [DvcIdType](normalization-common-fields.md#dvcidtype)<br>- [DvcAction](normalization-common-fields.md#dvcaction)\| +\| Optional \| - [EventMessage](normalization-common-fields.md#eventmessage)<br> - [EventSubType](normalization-common-fields.md#eventsubtype)<br>- [EventOriginalUid](normalization-common-fields.md#eventoriginaluid)<br>- [EventOriginalType](normalization-common-fields.md#eventoriginaltype)<br>- [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype)<br>- [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails)<br> - [EventOriginalSeverity](normalization-common-fields.md#eventoriginalseverity) <br> - [EventProductVersion](normalization-common-fields.md#eventproductversion)<br> - [EventReportUrl](normalization-common-fields.md#eventreporturl)<br>- [DvcMacAddr](normalization-common-fields.md#dvcmacaddr)<br>- [DvcOs](normalization-common-fields.md#dvcos)<br>- [DvcOsVersion](normalization-common-fields.md#dvchostname)<br>- [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction)<br>- [DvcInterface](normalization-common-fields.md#dvcinterface)<br>- [AdditionalFields](normalization-common-fields.md#additionalfields)\| +\|\|\| + ### Network session fields \| Field \| Class \| Type \| Description \|
sentinel	Normalization About Parsers	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-about-parsers.md	Last updated 11/09/2021 - # Use Advanced Security Information Model (ASIM) parsers (Public preview)
sentinel	Normalization About Schemas	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-about-schemas.md	Last updated 11/09/2021 - # Advanced Security Information Model (ASIM) schemas The following concepts help to understand the schema reference documents and ext \|Concept \|Description \| \|\|\| \|Field names \| At the core of each schema are its field names. Field names belong to the following groups: <br><br>- Fields common to all schemas. <br>- Fields specific to a schema. <br>- Fields that represent entities, such as users, which take part in the schema. Fields that represent entities [are similar across schemas](#entities). <br><br>When sources have fields that aren't presented in the documented schema, they're normalized to maintain consistency. If the extra fields represent an entity, they'll be normalized based on the entity field guidelines. Otherwise, the schemas strive to keep consistency across all schemas.<br><br> For example, while DNS server activity logs don't provide user information, DNS activity logs from an endpoint might include user information, which can be normalized according to the user entity guidelines. \| -\|Field types \| Each schema field has a type. The Log Analytics workspace has a limited set of data types. For this reason, Microsoft Sentinel uses a logical type for many schema fields, which Log Analytics doesn't enforce but is required for schema compatibility. Logical field types ensure that both values and field names are consistent across sources. <br><br>For more information, see [Logical types](#logical-types). \| -\|Field class \|Fields might have several classes, which define when the fields should be implemented by a parser: <br><br>- Mandatory fields must appear in every parser. If your source doesn't provide information for this value, or the data can't be otherwise added, it won't support most content items that reference the normalized schema.<br>- Recommended fields should be normalized if available. However, they might not be available in every source. Any content item that references that normalized schema should take availability into account. <br>- Optional fields, if available, can be normalized or left in their original form. Typically, a minimal parser wouldn't normalize them for performance reasons. \| +\|[Field types](#logical-types) \| Each schema field has a type. The Log Analytics workspace has a limited set of data types. For this reason, Microsoft Sentinel uses a logical type for many schema fields, which Log Analytics doesn't enforce but is required for schema compatibility. Logical field types ensure that both values and field names are consistent across sources. <br><br>For more information, see [Logical types](#logical-types). \| +\|Field class \| Fields might have several classes, which define when the fields should be implemented by a parser: <br><br>- Mandatory fields must appear in every parser. If your source doesn't provide information for this value, or the data can't be otherwise added, it won't support most content items that reference the normalized schema.<br>- Recommended fields should be normalized if available. However, they might not be available in every source. Any content item that references that normalized schema should take availability into account. <br>- Optional fields, if available, can be normalized or left in their original form. Typically, a minimal parser wouldn't normalize them for performance reasons. \| +\|[Common fields](normalization-common-fields.md) \| Some fields are common to all ASIM schemas. Each schema might add guidelines for using some of the common fields in the context of the specific schema. For example, permitted values for the EventType field might vary per schema, as might the value of the EventSchemaVersion field. \| \|Entities \| Events evolve around entities, such as users, hosts, processes, or files. Each entity might require several fields to describe it. For example, a host might have a name and an IP address. <br><br>A single record might include multiple entities of the same type, such as both a source and destination host. <br><br>ASIM defines how to describe entities consistently, and entities allow for extending the schemas. <br><br>For example, while the Network Session schema doesn't include process information, some event sources do provide process information that can be added. For more information, see [Entities](#entities). \| \|Aliases \| In some cases, different users expect a field to have different names. For example, in DNS terminology, you might expect a field named `query`, while more generally, it holds a domain name. Aliases solve this issue of ambiguity by allowing multiple names for a specified value. The alias class would be the same as the field that it aliases.<br><br>Log Analytics doesn't support aliasing. To implement aliases parsers, create a copy of the original value by using the `extend` operator. \| \| \| \| Each schema field has a type. Some have built-in, Log Analytics types, such as ` \|SHA512 \| String \| 128-hex characters. \| \| \| \| \| -## <a name="common"></a>Common fields - -Some fields are common to all ASIM schemas. Each schema might add guidelines for using some of the common fields in the context of the specific schema. For example, permitted values for the EventType field might vary per schema, as might the value of the EventSchemaVersion field. - -The following fields are generated by Log Analytics for each record. They can be overridden when you [create a custom connector](create-custom-connector.md). - -\| Field \| Type \| Discussion \| -\| - \| -- \| -- \| -\| <a name="timegenerated"></a>TimeGenerated \| datetime \| The time the event was generated by the reporting device.\| -\| _ResourceId \| guid \| The Azure Resource ID of the reporting device or service, or the log forwarder resource ID for events forwarded by using Syslog, CEF, or WEF. _ResourceId is not generated for sources for that do not have a resource concept, such as Microsoft Defender for Endpoint and will be empty for events from these sources. \| -\| Type \| String \| The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same [EventVendor](#eventvendor) and [EventProduct](#eventproduct) values.<br><br>For example, a Sysmon event can be collected either to the `Event` table or to the `WindowsEvent` table. \| -\| \| \| \| - -> [!NOTE] -> Log Analytics also adds other fields that are less relevant to security use cases. For more information, see [Standard columns in Azure Monitor Logs](../azure-monitor/logs/log-standard-columns.md). -> - -The following fields are defined by ASIM for all schemas: - -\| Field \| Class \| Type \| Description \| -\|\|-\|\|--\| -\| EventMessage \| Optional \| String \| A general message or description, either included in or generated from the record. \| -\| EventCount \| Mandatory \| Integer \| The number of events described by the record. <br><br>This value is used when the source supports aggregation, and a single record might represent multiple events. <br><br>For other sources, set to `1`. \| -\| EventStartTime \| Mandatory \| Date/time \| The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the [TimeGenerated](#timegenerated) field. \| -\| EventEndTime \| Mandatory \| Date/time \| The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the [TimeGenerated](#timegenerated) field. \| -\| <a name="eventtype"></a>EventType \| Mandatory \| Enumerated \| Describes the operation reported by the record. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the [EventOriginalType](#eventoriginaltype) field. \| -\| <a name="eventsubtype"></a>EventSubType \| Optional \| Enumerated \| Describes a subdivision of the operation reported in the [EventType](#eventtype) field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the [EventOriginalSubType](#eventoriginalsubtype) field. \| -\| <a name="eventresult"></a>EventResult \| Mandatory \| Enumerated \| One of the following values: Success, Partial, Failure, NA (Not Applicable).<br> <br>The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the [EventResultDetails](#eventresultdetails) field, which should be analyzed to derive the EventResult value.<br><br>Example: `Success`\| -\| <a name="eventresultdetails"></a>EventResultDetails \| Mandatory \| Enumerated \| Reason or details for the result reported in the [EventResult](#eventresult) field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the [EventOriginalResultDetails](#eventoriginalresultdetails) field.<br><br>Example: `NXDOMAIN`\| -\| EventOriginalUid \| Optional \| String \| A unique ID of the original record, if provided by the source.<br><br>Example: `69f37748-ddcd-4331-bf0f-b137f1ea83b`\| -\| <a name="eventoriginaltype"></a>EventOriginalType \| Optional \| String \| The original event type or ID, if provided by the source. For example, this field will be used to store the original Windows event ID. This value is used to derive [EventType](#eventtype), which should have only one of the values documented for each schema.<br><br>Example: `4624`\| -\| <a name="eventoriginalsubtype"></a>EventOriginalSubType \| Optional \| String \| The original event sub type or ID, if provided by the source. For example, this field will be used to store the original Windows logon type. This value is used to derive [EventSubType](#eventsubtype), which should have only one of the values documented for each schema.<br><br>Example: `2`\| -\| <a name="eventoriginalresultdetails"></a>EventOriginalResultDetails \| Optional \| String \| The original result details provided by the source. This value is used to derive [EventResultDetails](#eventresultdetails), which should have only one of the values documented for each schema. \| -\| <a name="eventseverity"></a>EventSeverity \| Enumerated \| String \| The severity of the event. Valid values are: `Informational`, `Low`, `Medium`, or `High`. \| -\| <a name="eventoriginalseverity"></a>EventOriginalSeverity \| Optional \| String \| The original severity as provided by the source. This value is used to derive [EventSeverity](#eventseverity). \| -\| <a name="eventproduct"></a>EventProduct \| Mandatory \| String \| The product generating the event. The value should be one of the values listed in [Vendors and Products](#vendors-and-products).<br><br>Example: `Sysmon` \| -\| EventProductVersion \| Optional \| String \| The version of the product generating the event. <br><br>Example: `12.1` \| -\| <a name="eventvendor"></a>EventVendor \| Mandatory \| String \| The vendor of the product generating the event. The value should be one of the values listed in [Vendors and Products](#vendors-and-products).<br><br>Example: `Microsoft` <br><br> \| -\| EventSchema \| Mandatory \| String \| The schema the event is normalized to. Each schema documents its schema name. \| -\| EventSchemaVersion \| Mandatory \| String \| The version of the schema. Each schema documents its current version. \| -\| EventReportUrl \| Optional \| String \| A URL provided in the event for a resource that provides more information about the event.\| -\| <a name="dvc"></a>Dvc \| Mandatory \| String \| A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. <br><br>This field might alias the [DvcFQDN](#dvcfqdn), [DvcId](#dvcid), [DvcHostname](#dvchostname), or [DvcIpAddr](#dvcipaddr) fields. For cloud sources, for which there is no apparent device, use the same value as the [Event Product](#eventproduct) field. \| -\| <a name ="dvcipaddr"></a>DvcIpAddr \| Recommended \| IP address \| The IP address of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `45.21.42.12` \| -\| <a name ="dvchostname"></a>DvcHostname \| Recommended \| Hostname \| The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `ContosoDc` \| -\| <a name="dvcdomain"></a>DvcDomain \| Recommended \| String \| The domain of the device on which the event occurred or which reported the event, depending on the schema.<br><br>Example: `Contoso` \| -\| <a name="dvcdomaintype"></a>DvcDomainType \| Recommended \| Enumerated \| The type of [DvcDomain](#dvcdomain). For a list of allowed values and further information refer to [DomainType](#domaintype).<br><br>Note: This field is required if the [DvcDomain](#dvcdomain) field is used. \| -\| <a name="dvcfqdn"></a>DvcFQDN \| Optional \| String \| The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br> Example: `Contoso\DESKTOP-1282V4D`<br><br>Note: This field supports both traditional FQDN format and Windows domain\hostname format. The [DvcDomainType](#dvcdomaintype) field reflects the format used. \| -\| <a name ="dvcid"></a>DvcId \| Optional \| String \| The unique ID of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `41502da5-21b7-48ec-81c9-baeea8d7d669` \| -\| DvcIdType \| Optional \| Enumerated \| The type of [DvcId](#dvcid). For a list of allowed values and further information refer to [DvcIdType](#dvcidtype).<br>- `MDEid`<br><br>If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId and DvcMDEid, respectively.<br><br>Note: This field is required if the [DvcId](#dvcid) field is used. \| -\| DvcMacAddr \| Optional \| MAC \| The MAC address of the device on which the event occurred. <br><br>Example: `00:1B:44:11:3A:B7` \| -\| DvcZone \| Optional \| String \| The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device.<br><br>Example: `Dmz` \| -\| DvcOs \| Optional \| String \| The operating system running on the device on which the event occurred. <br><br>Example: `Windows` \| -\| DvcOsVersion \| Optional \| String \| The version of the operating system on the device on which the event occurred. <br><br>Example: `10` \| -\| <a name="dvcaction"></a>DvcAction \| Optional \| String \| For reporting security systems, the action taken by the system, if applicable. <br><br>Example: `Blocked` \| -\| <a name="dvcoriginalaction"></a>DvcOriginalAction \| Optional \| String \| The original [DvcAction](#dvcaction) as provided by the reporting device. \| -\| <a name="dvcinterface"></a>DvcInterface \| Optional \| String \| The network interface on which data was captured. This field is typically relevant to network related activity which is captured by an intermediate or tap device. \| -\| <a name="dvcsubscription"></a>DvcSubscriptionId \| Optional \| String \| The cloud platform subscription ID the device belongs to. DvcSubscriptionId map to a subscription ID on Azure and to an account ID on AWS. \| -\| <a name="additionalfields"></a>AdditionalFields \| Optional \| Dynamic \| If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add to it the extra information as key/value pairs. \| -\| \| \| \| \| - -> [!NOTE] -> Log Analytics also adds other fields that are less relevant to security use cases. For more information, see [Standard columns in Azure Monitor Logs](../azure-monitor/logs/log-standard-columns.md). -> - ## Entities Events evolve around entities, such as users, hosts, processes, or files. Entity representation allows several entities of the same type to be part of a single record, and support multiple attributes for the same entities. Based on these entities, [Windows event 4624](/windows/security/threat-protectio \|Hostname \| Computer \| Alias \| \| \| \| \| \| \| -## Vendors and products - -To maintain consistency, the list of allowed vendors and products is set as part of ASIM, and may not directly correspond to the value sent by the source, when available. - -The currently supported list of vendors and products used in the [EventVendor](#eventvendor) and [EventProduct](#eventproduct) fields respectively is: - -\| Vendor \| Products \| -\| \| -- \| -\| Apache \| Squid Proxy \| -\| AWS \| - CloudTrail<br> - VPC \| -\| Cisco \| - ASA<br> - Umbrella \| -\| Corelight \| Zeek \| -\| GCP \| Cloud DNS \| -\| Infoblox \| NIOS \| -\| Microsoft \| - AAD<br> - Azure Firewall<br> - Azure File Storage<br> - Azure NSG flows<br> - DNS Server<br> - Microsoft 365 Defender for Endpoint<br> - Microsoft Defender for IoT<br> - Security Events<br> - Sharepoint 365<br>- Sysmon<br> - Sysmon for Linux<br> - VMConnection<br> - Windows Firewall<br> - WireData <br> -\| Okta \| Okta \| -\| Palo Alto \| - PanOS<br> - CDL<br> \| -\| Vectra AI \| Vectra Steam \| -\| Zscaler \| - ZIA DNS<br> - ZIA Firewall<br> - ZIA Proxy \| -\|\|\| - -If you are developing a parser for a vendor or a product which are not listed here, contact the [Microsoft Sentinel](mailto:azuresentinel@microsoft.com) team to allocate a new allowed vendor and product designators. - ## Next steps This article provides an overview of normalization in Microsoft Sentinel and ASIM.
sentinel	Normalization Common Fields	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-common-fields.md	+ + Title: The Advanced Security Information Model (ASIM) common schema fields reference (preview) \| Microsoft Docs +description: This article describes the Advanced Information Security (ASIM) common schema fields ++ Last updated : 11/17/2021++++ +# The Advanced Security Information Model (ASIM) common schema fields reference (preview) + +Some fields are common to all ASIM schemas. Each schema might add guidelines for using some of the common fields in the context of the specific schema. For example, permitted values for the EventType field might vary per schema, as might the value of the EventSchemaVersion field. + +## Standard Log Analytics fields + +The following fields are generated by Log Analytics for each record. They can be overridden when you [create a custom connector](create-custom-connector.md). + +\| Field \| Type \| Discussion \| +\| - \| -- \| -- \| +\| <a name="timegenerated"></a>TimeGenerated \| datetime \| The time the event was generated by the reporting device.\| +\| _ResourceId \| String \| The Azure Resource ID of the reporting device or service, or the log forwarder resource ID for events forwarded by using Syslog, CEF, or WEF. _ResourceId is not generated for sources for that do not have a resource concept, such as Microsoft Defender for Endpoint and will be empty for events from these sources. \| +\| Type \| String \| The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same [EventVendor](#eventvendor) and [EventProduct](#eventproduct) values.<br><br>For example, a Sysmon event can be collected either to the `Event` table or to the `WindowsEvent` table. \| +\| \| \| \| + +> [!NOTE] +> Log Analytics also adds other fields that are less relevant to security use cases. For more information, see [Standard columns in Azure Monitor Logs](../azure-monitor/logs/log-standard-columns.md). +> + +## Common ASIM fields + +The following fields are defined by ASIM for all schemas: + +\| Field \| Class \| Type \| Description \| +\|\|-\|\|--\| +\| <a name="eventmessage"></a>EventMessage \| Optional \| String \| A general message or description, either included in or generated from the record. \| +\| <a name="eventcount"></a>EventCount \| Mandatory \| Integer \| The number of events described by the record. <br><br>This value is used when the source supports aggregation, and a single record might represent multiple events. <br><br>For other sources, set to `1`. \| +\| <a name="eventstarttime"></a>EventStartTime \| Mandatory \| Date/time \| The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the [TimeGenerated](#timegenerated) field. \| +\| <a name="eventendtime"></a>EventEndTime \| Mandatory \| Date/time \| The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the [TimeGenerated](#timegenerated) field. \| +\| <a name="eventtype"></a>EventType \| Mandatory \| Enumerated \| Describes the operation reported by the record. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the [EventOriginalType](#eventoriginaltype) field. \| +\| <a name="eventsubtype"></a>EventSubType \| Optional \| Enumerated \| Describes a subdivision of the operation reported in the [EventType](#eventtype) field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the [EventOriginalSubType](#eventoriginalsubtype) field. \| +\| <a name="eventresult"></a>EventResult \| Mandatory \| Enumerated \| One of the following values: Success, Partial, Failure, NA (Not Applicable).<br> <br>The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the [EventResultDetails](#eventresultdetails) field, which should be analyzed to derive the EventResult value.<br><br>Example: `Success`\| +\| <a name="eventresultdetails"></a>EventResultDetails \| Mandatory \| Enumerated \| Reason or details for the result reported in the [EventResult](#eventresult) field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the [EventOriginalResultDetails](#eventoriginalresultdetails) field.<br><br>Example: `NXDOMAIN`\| +\| <a name="eventoriginaluid"></a>EventOriginalUid \| Optional \| String \| A unique ID of the original record, if provided by the source.<br><br>Example: `69f37748-ddcd-4331-bf0f-b137f1ea83b`\| +\| <a name="eventoriginaltype"></a>EventOriginalType \| Optional \| String \| The original event type or ID, if provided by the source. For example, this field will be used to store the original Windows event ID. This value is used to derive [EventType](#eventtype), which should have only one of the values documented for each schema.<br><br>Example: `4624`\| +\| <a name="eventoriginalsubtype"></a>EventOriginalSubType \| Optional \| String \| The original event sub type or ID, if provided by the source. For example, this field will be used to store the original Windows logon type. This value is used to derive [EventSubType](#eventsubtype), which should have only one of the values documented for each schema.<br><br>Example: `2`\| +\| <a name="eventoriginalresultdetails"></a>EventOriginalResultDetails \| Optional \| String \| The original result details provided by the source. This value is used to derive [EventResultDetails](#eventresultdetails), which should have only one of the values documented for each schema. \| +\| <a name="eventseverity"></a>EventSeverity \| Recommended \| Enumerated \| The severity of the event. Valid values are: `Informational`, `Low`, `Medium`, or `High`. \| +\| <a name="eventoriginalseverity"></a>EventOriginalSeverity \| Optional \| String \| The original severity as provided by the source. This value is used to derive [EventSeverity](#eventseverity). \| +\| <a name="eventproduct"></a>EventProduct \| Mandatory \| String \| The product generating the event. The value should be one of the values listed in [Vendors and Products](#vendors-and-products).<br><br>Example: `Sysmon` \| +\| <a name="eventproductversion"></a>EventProductVersion \| Optional \| String \| The version of the product generating the event. <br><br>Example: `12.1` \| +\| <a name="eventvendor"></a>EventVendor \| Mandatory \| String \| The vendor of the product generating the event. The value should be one of the values listed in [Vendors and Products](#vendors-and-products).<br><br>Example: `Microsoft` <br><br> \| +\| <a name="eventschema"></a>EventSchema \| Mandatory \| String \| The schema the event is normalized to. Each schema documents its schema name. \| +\| <a name="eventschemaversion"></a>EventSchemaVersion \| Mandatory \| String \| The version of the schema. Each schema documents its current version. \| +\| <a name="eventreporturl"></a>EventReportUrl \| Optional \| String \| A URL provided in the event for a resource that provides more information about the event.\| +\| <a name="dvc"></a>Dvc \| Mandatory \| String \| A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. <br><br>This field might alias the [DvcFQDN](#dvcfqdn), [DvcId](#dvcid), [DvcHostname](#dvchostname), or [DvcIpAddr](#dvcipaddr) fields. For cloud sources, for which there is no apparent device, use the same value as the [Event Product](#eventproduct) field. \| +\| <a name ="dvcipaddr"></a>DvcIpAddr \| Recommended \| IP address \| The IP address of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `45.21.42.12` \| +\| <a name ="dvchostname"></a>DvcHostname \| Recommended \| Hostname \| The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `ContosoDc` \| +\| <a name="dvcdomain"></a>DvcDomain \| Recommended \| String \| The domain of the device on which the event occurred or which reported the event, depending on the schema.<br><br>Example: `Contoso` \| +\| <a name="dvcdomaintype"></a>DvcDomainType \| Recommended \| Enumerated \| The type of [DvcDomain](#dvcdomain). For a list of allowed values and further information refer to [DomainType](normalization-about-schemas.md#domaintype).<br><br>Note: This field is required if the [DvcDomain](#dvcdomain) field is used. \| +\| <a name="dvcfqdn"></a>DvcFQDN \| Optional \| String \| The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br> Example: `Contoso\DESKTOP-1282V4D`<br><br>Note: This field supports both traditional FQDN format and Windows domain\hostname format. The [DvcDomainType](#dvcdomaintype) field reflects the format used. \| +\| <a name ="dvcid"></a>DvcId \| Optional \| String \| The unique ID of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `41502da5-21b7-48ec-81c9-baeea8d7d669` \| +\| <a name="dvcidtype"></a>DvcIdType \| Optional \| Enumerated \| The type of [DvcId](#dvcid). For a list of allowed values and further information refer to [DvcIdType](#dvcidtype).<br>- `MDEid`<br><br>If multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId and DvcMDEid, respectively.<br><br>Note: This field is required if the [DvcId](#dvcid) field is used. \| +\| <a name="dvcmacaddr"></a>DvcMacAddr \| Optional \| MAC \| The MAC address of the device on which the event occurred. <br><br>Example: `00:1B:44:11:3A:B7` \| +\| <a name="dvczone"></a>DvcZone \| Optional \| String \| The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device.<br><br>Example: `Dmz` \| +\| <a name="dvcos"></a>DvcOs \| Optional \| String \| The operating system running on the device on which the event occurred. <br><br>Example: `Windows` \| +\| <a name="dvcosversion"></a>DvcOsVersion \| Optional \| String \| The version of the operating system on the device on which the event occurred. <br><br>Example: `10` \| +\| <a name="dvcaction"></a>DvcAction \| Optional \| String \| For reporting security systems, the action taken by the system, if applicable. <br><br>Example: `Blocked` \| +\| <a name="dvcoriginalaction"></a>DvcOriginalAction \| Optional \| String \| The original [DvcAction](#dvcaction) as provided by the reporting device. \| +\| <a name="dvcinterface"></a>DvcInterface \| Optional \| String \| The network interface on which data was captured. This field is typically relevant to network related activity which is captured by an intermediate or tap device. \| +\| <a name="dvcsubscription"></a>DvcSubscriptionId \| Optional \| String \| The cloud platform subscription ID the device belongs to. DvcSubscriptionId map to a subscription ID on Azure and to an account ID on AWS. \| +\| <a name="additionalfields"></a>AdditionalFields \| Optional \| Dynamic \| If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add to it the extra information as key/value pairs. \| +\| \| \| \| \| ++ +## Vendors and products + +To maintain consistency, the list of allowed vendors and products is set as part of ASIM, and may not directly correspond to the value sent by the source, when available. + +The currently supported list of vendors and products used in the [EventVendor](#eventvendor) and [EventProduct](#eventproduct) fields respectively is: + +\| Vendor \| Products \| +\| \| -- \| +\| Apache \| Squid Proxy \| +\| AWS \| - CloudTrail<br> - VPC \| +\| Cisco \| - ASA<br> - Umbrella \| +\| Corelight \| Zeek \| +\| GCP \| Cloud DNS \| +\| Infoblox \| NIOS \| +\| Microsoft \| - AAD<br> - Azure Firewall<br> - Azure File Storage<br> - Azure NSG flows<br> - DNS Server<br> - Microsoft 365 Defender for Endpoint<br> - Microsoft Defender for IoT<br> - Security Events<br> - Sharepoint 365<br>- Sysmon<br> - Sysmon for Linux<br> - VMConnection<br> - Windows Firewall<br> - WireData <br> +\| Okta \| Okta \| +\| Palo Alto \| - PanOS<br> - CDL<br> \| +\| Vectra AI \| Vectra Steam \| +\| Zscaler \| - ZIA DNS<br> - ZIA Firewall<br> - ZIA Proxy \| +\|\|\| + +If you are developing a parser for a vendor or a product which are not listed here, contact the [Microsoft Sentinel](mailto:azuresentinel@microsoft.com) team to allocate a new allowed vendor and product designators. + +## Next steps + +For more information, see: + +- Watch the [ASIM Webinar](https://www.youtube.com/watch?v=WoGD-JeC7ng) or review the [slides](https://1drv.ms/b/s!AnEPjr8tHcNmjDY1cro08Fk3KUj-?e=murYHG) +- [Advanced Security Information Model (ASIM) overview](normalization.md) +- [Advanced Security Information Model (ASIM) schemas](normalization-about-schemas.md) +- [Advanced Security Information Model (ASIM) parsers](normalization-parsers-overview.md) +- [Advanced Security Information Model (ASIM) content](normalization-content.md)
sentinel	Normalization Content	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-content.md	Last updated 11/09/2021 - # Advanced Security Information Model (ASIM) security content (Public preview)
sentinel	Normalization Modify Content	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-modify-content.md	Last updated 11/09/2021 - # Modify content to use the Advanced Security Information Model (ASIM) (Public preview)
sentinel	Normalization Schema V1	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization-schema-v1.md	Title: Microsoft Sentinel network normalization schema (Legacy version - Public preview)\| Microsoft Docs description: This article displays the Microsoft Sentinel data normalization schema.-+ Last updated 11/09/2021--+ # Microsoft Sentinel network normalization schema (Legacy version - Public preview)
sentinel	Normalization	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/normalization.md	Title: Normalization and the Advanced Security Information Model (ASIM) \| Microsoft Docs description: This article explains how Microsoft Sentinel normalizes data from many different sources using the Advanced Security Information Model (ASIM)-+ Last updated 11/09/2021--+ # Normalization and the Advanced Security Information Model (ASIM) (Public preview)
sentinel	Process Events Normalization Schema	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/process-events-normalization-schema.md	Title: Microsoft Sentinel Process Event normalization schema reference \| Microsoft Docs + Title: The Advanced Security Information Model (ASIM) Process Event normalization schema reference (Public preview) \| Microsoft Docs description: This article describes the Microsoft Sentinel Process Event normalization schema.-+ Last updated 11/09/2021-+ -# Microsoft Sentinel Process Event normalization schema reference (Public preview) +# The Advanced Security Information Model (ASIM) Process Event normalization schema reference (Public preview) [!INCLUDE [Banner for top of topics](./includes/banner.md)] The following Microsoft Sentinel content works with any process activity that's The Process Event information model is aligned to the [OSSEM Process entity schema](https://github.com/OTRF/OSSEM/blob/master/docs/cdm/entities/process.md). -### Log Analytics fields +### Common ASIM fields -The following fields are generated by Log Analytics for each record, and can be overridden when creating a custom connector. - -\| Field \| Type \| Discussion \| -\| - \| -- \| -- \| -\| <a name="timegenerated"></a>TimeGenerated \| datetime \| The time the event was generated by the reporting device.\| -\| _ResourceId \| guid \| The Azure Resource ID of the reporting device or service, or the log forwarder resource ID for events forwarded using Syslog, CEF, or WEF. \| -\| Type \| String \| The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values.<br><br>For example, a Sysmon event can be collected either to the Event table or to the WindowsEvent table. \| -\| \| \| \| - -> [!NOTE] -> Log Analytics also adds other fields that are less relevant to security use cases. For more information, see [Standard columns in Azure Monitor Logs](../azure-monitor/logs/log-standard-columns.md). +> [!IMPORTANT] +> Fields common to all schemas are described in detail in the [ASIM Common Fields](normalization-common-fields.md) article. > -## Event fields +#### Common fields with specific guidelines -Event fields are common to all schemas and describe the activity itself and the reporting device. +The following list mentions fields that have specific guidelines for process activity events: \| Field \| Class \| Type \| Description \| \|\|-\|\|--\| -\| EventMessage \| Optional \| String \| A general message or description, either included in or generated from the record. \| -\| EventCount \| Mandatory \| Integer \| The number of events described by the record. <br><br>This value is used when the source supports aggregation, and a single record may represent multiple events. <br><br>For other sources, set to `1`. \| -\| EventStartTime \| Mandatory \| Date/time \| If the source supports aggregation and the record represents multiple events, this field specifies the time that the first event was generated. Otherwise, this field aliases the [TimeGenerated](#timegenerated) field. \| -\| EventEndTime \| Mandatory \| Alias \| Alias to the [TimeGenerated](#timegenerated) field. \| \| EventType \| Mandatory \| Enumerated \| Describes the operation reported by the record. <br><br>For Process records, supported values include: <br>- `ProcessCreated` <br>- `ProcessTerminated` \| -\| EventResult \| Mandatory \| Enumerated \| Describes the result of the event, normalized to one of the following supported values: <br><br>- `Success`<br>- `Partial`<br>- `Failure`<br>- `NA` (not applicable) <br><br>The source may provide only a value for the EventResultDetails field, which must be analyzed to get the EventResult value.<br><br>Note: Process Events commonly report only success. \| -\| EventOriginalUid \| Optional \| String \| A unique ID of the original record, if provided by the source.<br><br>Example: `69f37748-ddcd-4331-bf0f-b137f1ea83b`\| -\| EventOriginalType \| Optional \| String \| The original event type or ID, if provided by the source.<br><br>Example: `4688`\| -\| <a name ="eventproduct"></a>EventProduct \| Mandatory \| String \| The product generating the event. <br><br>Example: `Sysmon`<br><br>Note: This field may not be available in the source record. In such cases, this field must be set by the parser. \| -\| EventProductVersion \| Optional \| String \| The version of the product generating the event. <br><br>Example: `12.1` \| -\| EventVendor \| Mandatory \| String \| The vendor of the product generating the event. <br><br>Example: `Microsoft` <br><br>Note: This field may not be available in the source record. In such cases, this field must be set by the parser. \| \| EventSchemaVersion \| Mandatory \| String \| The version of the schema. The version of the schema documented here is `0.1` \| -\| EventReportUrl \| Optional \| String \| A URL provided in the event for a resource that provides additional information about the event.\| -\| Dvc \| Mandatory \| String \| A unique identifier of the device on which the event occurred. <br><br>This field may alias the [DvcId](#dvcid), [DvcHostname](#dvchostname), or [DvcIpAddr](#dvcipaddr) fields. For cloud sources, for which there is no apparent device, use the same value as the [Event Product](#eventproduct) field. \| -\| <a name ="dvcipaddr"></a>DvcIpAddr \| Recommended \| IP Address \| The IP Address of the device on which the process event occurred. <br><br>Example: `45.21.42.12` \| -\| <a name ="dvchostname"></a>DvcHostname \| Recommended \| Hostname \| The hostname of the device on which the process event occurred. <br><br>Example: `ContosoDc.Contoso.Azure` \| -\| <a name ="dvcid"></a>DvcId \| Optional \| String \| The unique ID of the device on which the process event occurred. <br><br>Example: `41502da5-21b7-48ec-81c9-baeea8d7d669` \| -\| DvcMacAddr \| Optional \| MAC \| The MAC of device on which the process event occurred. <br><br>Example: `00:1B:44:11:3A:B7` \| -\| DvcOs \| Optional \| String \| The operating system running on the device on which the process event occurred. <br><br>Example: `Windows` \| -\| DvcOsVersion \| Optional \| String \| The version of the operating system on the device on which the process event occurred. <br><br>Example: `10` \| -\| AdditionalFields \| Optional \| Dynamic \| If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add to it the extra information as key/value pairs. \| -\| \| \| \| \| +\| EventSchema \| Optional \| String \| The name of the schema documented here is `ProcessEvent`. \| +\| Dvc fields\| \| \| For process activity events, device fields refer to the system on which the process was executed. \| +\|\|\|\|\| + +> [!IMPORTANT] +> The `EventSchema` field is currently optional but will become Mandatory on September 1st 2022. +> + +#### All common fields + +Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the [ASIM Common Fields](normalization-common-fields.md) article. + +\| Class \| Fields \| +\| \| - \| +\| Mandatory \| - [EventCount](normalization-common-fields.md#eventcount)<br> - [EventStartTime](normalization-common-fields.md#eventstarttime)<br> - [EventEndTime](normalization-common-fields.md#eventendtime)<br> - [EventType](normalization-common-fields.md#eventtype)<br>- [EventResult](normalization-common-fields.md#eventresult)<br> - [EventProduct](normalization-common-fields.md#eventproduct)<br> - [EventVendor](normalization-common-fields.md#eventvendor)<br> - [EventSchema](normalization-common-fields.md#eventschema)<br> - [EventSchemaVersion](normalization-common-fields.md#eventschemaversion)<br> - [Dvc](normalization-common-fields.md#dvc)<br>\| +\| Recommended \| - [EventResultDetails](normalization-common-fields.md#eventresultdetails)<br>- [EventSeverity](normalization-common-fields.md#eventseverity)<br> - [DvcIpAddr](normalization-common-fields.md#dvcipaddr)<br> - [DvcHostname](normalization-common-fields.md#dvchostname)<br> - [DvcDomain](normalization-common-fields.md#dvcdomain)<br>- [DvcDomainType](normalization-common-fields.md#dvcdomaintype)<br>- [DvcFQDN](normalization-common-fields.md#dvcfqdn)<br>- [DvcId](normalization-common-fields.md#dvcid)<br>- [DvcIdType](normalization-common-fields.md#dvcidtype)<br>- [DvcAction](normalization-common-fields.md#dvcaction)\| +\| Optional \| - [EventMessage](normalization-common-fields.md#eventmessage)<br> - [EventSubType](normalization-common-fields.md#eventsubtype)<br>- [EventOriginalUid](normalization-common-fields.md#eventoriginaluid)<br>- [EventOriginalType](normalization-common-fields.md#eventoriginaltype)<br>- [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype)<br>- [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails)<br> - [EventOriginalSeverity](normalization-common-fields.md#eventoriginalseverity) <br> - [EventProductVersion](normalization-common-fields.md#eventproductversion)<br> - [EventReportUrl](normalization-common-fields.md#eventreporturl)<br>- [DvcMacAddr](normalization-common-fields.md#dvcmacaddr)<br>- [DvcOs](normalization-common-fields.md#dvcos)<br>- [DvcOsVersion](normalization-common-fields.md#dvchostname)<br>- [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction)<br>- [DvcInterface](normalization-common-fields.md#dvcinterface)<br>- [AdditionalFields](normalization-common-fields.md#additionalfields)\| +\|\|\| + ### Process Event-specific fields The process event schema references the following entities, which are central to \| TargetProcessTokenElevation \| Optional \| String \|Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that was created or terminated. <br><br> Example: `None` \| \| \| \| \| \| +## Schema updates +These are the changes in version 0.1.1 of the schema: +- Added the field `EventSchema` - currently optional, but will become mandatory on Sep 1st, 2022. ## Next steps
sentinel	Registry Event Normalization Schema	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/registry-event-normalization-schema.md	Title: Microsoft Sentinel Registry Event normalization schema reference \| Microsoft Docs + Title: The Advanced Security Information Model (ASIM) Registry Event normalization schema reference (Public preview) \| Microsoft Docs description: This article describes the Microsoft Sentinel Registry Event normalization schema.-+ Last updated 11/09/2021-+ -# Microsoft Sentinel Registry Event normalization schema reference (Public preview) +# The Advanced Security Information Model (ASIM) Registry Event normalization schema reference (Public preview) [!INCLUDE [Banner for top of topics](./includes/banner.md)] For more information, see [Hunt for threats with Microsoft Sentinel](hunting.md) The Registry Event information model is aligned with the [OSSEM Registry entity schema](https://github.com/OTRF/OSSEM/blob/master/docs/cdm/entities/registry.md). -### Log Analytics fields +### Common ASIM fields -The following fields are generated by Log Analytics for each record, and can be overridden when creating a custom connector. - -\| Field \| Type \| Discussion \| -\| - \| -- \| -- \| -\| <a name="timegenerated"></a>TimeGenerated \| datetime \| The time the event was generated by the reporting device.\| -\| _ResourceId \| guid \| The Azure Resource ID of the reporting device or service, or the log forwarder resource ID for events forwarded using Syslog, CEF, or WEF. \| -\| Type \| String \| The original table from which the record was fetched. This field is useful when the same event can be received through multiple channels to different tables, and have the same EventVendor and EventProduct values.<br><br>For example, a Sysmon event can be collected either to the Event table or to the WindowsEvent table. \| -- -> [!NOTE] -> Log Analytics also adds other fields that are less relevant to security use cases. For more information, see [Standard columns in Azure Monitor Logs](../azure-monitor/logs/log-standard-columns.md). +> [!IMPORTANT] +> Fields common to all schemas are described in detail in the [ASIM Common Fields](normalization-common-fields.md) article. > -### Event fields +#### Common fields with specific guidelines - -Event fields are common to all schemas and describe the activity itself and the reporting device. +The following list mentions fields that have specific guidelines for process activity events: \| Field \| Class \| Type \| Description \| \|\|-\|\|--\| -\| EventMessage \| Optional \| String \| A general message or description, either included in or generated from the record. \| -\| EventCount \| Mandatory \| Integer \| The number of events described by the record. <br><br>This value is used when the source supports aggregation, and a single record may represent multiple events. <br><br>For other sources, set to `1`. \| -\| EventStartTime \| Mandatory \| Date/time \| If the source supports aggregation and the record represents multiple events, this field specifies the time that the first event was generated. <br><br>Otherwise, this field aliases the [TimeGenerated](#timegenerated) field. \| -\| EventEndTime \| Mandatory \| Alias \| Alias to the [TimeGenerated](#timegenerated) field. \| \| EventType \| Mandatory \| Enumerated \| Describes the operation reported by the record. <br><br>For Registry records, supported values include: <br>- `RegistryKeyCreated` <br>- `RegistryKeyDeleted`<br>- `RegistryKeyRenamed` <br>- `RegistryValueDeleted` <br>- `RegistryValueSet`\| -\| EventOriginalUid \| Optional \| String \| A unique ID of the original record, if provided by the source.<br><br>Example: `69f37748-ddcd-4331-bf0f-b137f1ea83b`\| -\| EventOriginalType \| Optional \| String \| The original event type or ID, if provided by the source.<br><br>Example: `4657`\| -\| <a name ="eventproduct"></a>EventProduct \| Mandatory \| String \| The product generating the event. <br><br>Example: `Sysmon`<br><br>Note: This field may not be available in the source record. In such cases, this field must be set by the parser. \| -\| EventProductVersion \| Optional \| String \| The version of the product generating the event. <br><br>Example: `12.1` \| -\| EventVendor \| Mandatory \| String \| The vendor of the product generating the event. <br><br>Example: `Microsoft` <br><br>Note: This field may not be available in the source record. In such cases, this field must be set by the parser. \| \| EventSchemaVersion \| Mandatory \| String \| The version of the schema. The version of the schema documented here is `0.1` \| -\| EventReportUrl \| Optional \| String \| A URL provided in the event for a resource that provides additional information about the event.\| -\| Dvc \| Mandatory \| String \| A unique identifier of the device on which the event occurred. <br><br>This field may alias the [DvcId](#dvcid), [DvcHostname](#dvchostname), or [DvcIpAddr](#dvcipaddr) fields. For cloud sources, for which there is no apparent device, use the same value as the [EventProduct](#eventproduct) field. \| -\| <a name ="dvcipaddr"></a>DvcIpAddr \| Recommended \| IP Address \| The IP Address of the device on which the registry event occurred. <br><br>Example: `45.21.42.12` \| -\| <a name ="dvchostname"></a>DvcHostname \| Recommended \| Hostname \| The hostname of the device on which the registry event occurred. <br><br>Example: `ContosoDc.Contoso.Azure` \| -\| <a name ="dvcid"></a>DvcId \| Optional \| String \| The unique ID of the device on which the registry event occurred. <br><br>Example: `41502da5-21b7-48ec-81c9-baeea8d7d669` \| -\| DvcMacAddr \| Optional \| MAC \| The MAC of device on which the registry event occurred. <br><br>Example: `00:1B:44:11:3A:B7` \| -\| DvcOs \| Optional \| String \| The operating system running on the device on which the registry event occurred. <br><br>Example: `Windows` \| -\| DvcOsVersion \| Optional \| String \| The version of the operating system on the device on which the registry event occurred. <br><br>Example: `10` \| -\| AdditionalFields \| Optional \| Dynamic \| If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add it to the extra information as key/value pairs. \| +\| EventSchema \| Optional \| String \| The name of the schema documented here is `RegistryEvent`. \| +\| Dvc fields\| \| \| For registry activity events, device fields refer to the system on which the registry activity occurred. \| +\|\|\|\|\| + +> [!IMPORTANT] +> The `EventSchema` field is currently optional but will become Mandatory on September 1st 2022. +> + +#### All common fields + +Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the [ASIM Common Fields](normalization-common-fields.md) article. + +\| Class \| Fields \| +\| \| - \| +\| Mandatory \| - [EventCount](normalization-common-fields.md#eventcount)<br> - [EventStartTime](normalization-common-fields.md#eventstarttime)<br> - [EventEndTime](normalization-common-fields.md#eventendtime)<br> - [EventType](normalization-common-fields.md#eventtype)<br>- [EventResult](normalization-common-fields.md#eventresult)<br> - [EventProduct](normalization-common-fields.md#eventproduct)<br> - [EventVendor](normalization-common-fields.md#eventvendor)<br> - [EventSchema](normalization-common-fields.md#eventschema)<br> - [EventSchemaVersion](normalization-common-fields.md#eventschemaversion)<br> - [Dvc](normalization-common-fields.md#dvc)<br>\| +\| Recommended \| - [EventResultDetails](normalization-common-fields.md#eventresultdetails)<br>- [EventSeverity](normalization-common-fields.md#eventseverity)<br> - [DvcIpAddr](normalization-common-fields.md#dvcipaddr)<br> - [DvcHostname](normalization-common-fields.md#dvchostname)<br> - [DvcDomain](normalization-common-fields.md#dvcdomain)<br>- [DvcDomainType](normalization-common-fields.md#dvcdomaintype)<br>- [DvcFQDN](normalization-common-fields.md#dvcfqdn)<br>- [DvcId](normalization-common-fields.md#dvcid)<br>- [DvcIdType](normalization-common-fields.md#dvcidtype)<br>- [DvcAction](normalization-common-fields.md#dvcaction)\| +\| Optional \| - [EventMessage](normalization-common-fields.md#eventmessage)<br> - [EventSubType](normalization-common-fields.md#eventsubtype)<br>- [EventOriginalUid](normalization-common-fields.md#eventoriginaluid)<br>- [EventOriginalType](normalization-common-fields.md#eventoriginaltype)<br>- [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype)<br>- [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails)<br> - [EventOriginalSeverity](normalization-common-fields.md#eventoriginalseverity) <br> - [EventProductVersion](normalization-common-fields.md#eventproductversion)<br> - [EventReportUrl](normalization-common-fields.md#eventreporturl)<br>- [DvcMacAddr](normalization-common-fields.md#dvcmacaddr)<br>- [DvcOs](normalization-common-fields.md#dvcos)<br>- [DvcOsVersion](normalization-common-fields.md#dvchostname)<br>- [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction)<br>- [DvcInterface](normalization-common-fields.md#dvcinterface)<br>- [AdditionalFields](normalization-common-fields.md#additionalfields)\| +\|\|\| + ### Registry Event specific fields Different sources represent registry value types using different representations \| Reg_QWord \| `Qword`, `%%1883` \| +## Schema updates + +These are the changes in version 0.1.1 of the schema: +- Added the field `EventSchema` - currently optional, but will become mandatory on Sep 1st, 2022. ## Next steps
sentinel	Sentinel Solutions Catalog	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sentinel-solutions-catalog.md	For more information, see [Centrally discover and deploy Microsoft Sentinel out- \|Name \|Includes \|Categories \|Supported by \| \|\|\|\|\| -\|Senserva Offer for Microsoft Sentinel \|Data connector, workbooks, analytics rules, hunting queries \|Compliance \|[Senserva](https://www.senserva.com/contact/) \| +\|Senserva Offer for Microsoft Sentinel \|Data connector, workbooks, analytics rules, hunting queries \|Compliance \|[Senserva](https://www.senserva.com/support/) \| \| \| \| \| \|
sentinel	User Management Normalization Schema	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/user-management-normalization-schema.md	Some activities, such as UserCreated, GroupCreated, UserModified, an ## Schema details -### Common fields +### Common ASIM fields > [!IMPORTANT] -> Fields common to all schemas are described in the [ASIM schema overview](normalization-about-schemas.md#common). The following list mentions only fields that have specific guidelines for user management events. +> Fields common to all schemas are described in detail in the [ASIM Common Fields](normalization-common-fields.md) article. > +#### Common fields with specific guidelines + +The following list mentions fields that have specific guidelines for process activity events: + \| Field \| Class \| Type \| Description \| \|\|-\|\|--\| \| EventType \| Mandatory \| Enumerated \| Describes the operation reported by the record.<br><br> For User Management activity, the supported values are:<br> - `UserCreated`<br> - `UserDeleted`<br> - `UserModified`<br> - `UserLocked`<br> - `UserUnlocked`<br> - `UserDisabled`<br> - `UserEnabled`<br> - `PasswordChanged`<br> - `PasswordReset`<br> - `GroupCreated`<br> - `GroupDeleted`<br> - `GroupModified`<br> - `UserAddedToGroup`<br> - `UserRemovedFromGroup`<br> - `GroupEnumerated`<br> - `UserRead`<br> - `GroupRead`<br> \| Some activities, such as UserCreated, GroupCreated, UserModified, an \| Dvc fields\| \| \| For user management events, device fields refer to the system reporting the event. This is usually the system on which the user is managed. \| \| \| \| \| \| +#### All common fields + +Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the [ASIM Common Fields](normalization-common-fields.md) article. + +\| Class \| Fields \| +\| \| - \| +\| Mandatory \| - [EventCount](normalization-common-fields.md#eventcount)<br> - [EventStartTime](normalization-common-fields.md#eventstarttime)<br> - [EventEndTime](normalization-common-fields.md#eventendtime)<br> - [EventType](normalization-common-fields.md#eventtype)<br>- [EventResult](normalization-common-fields.md#eventresult)<br> - [EventProduct](normalization-common-fields.md#eventproduct)<br> - [EventVendor](normalization-common-fields.md#eventvendor)<br> - [EventSchema](normalization-common-fields.md#eventschema)<br> - [EventSchemaVersion](normalization-common-fields.md#eventschemaversion)<br> - [Dvc](normalization-common-fields.md#dvc)<br>\| +\| Recommended \| - [EventResultDetails](normalization-common-fields.md#eventresultdetails)<br>- [EventSeverity](normalization-common-fields.md#eventseverity)<br> - [DvcIpAddr](normalization-common-fields.md#dvcipaddr)<br> - [DvcHostname](normalization-common-fields.md#dvchostname)<br> - [DvcDomain](normalization-common-fields.md#dvcdomain)<br>- [DvcDomainType](normalization-common-fields.md#dvcdomaintype)<br>- [DvcFQDN](normalization-common-fields.md#dvcfqdn)<br>- [DvcId](normalization-common-fields.md#dvcid)<br>- [DvcIdType](normalization-common-fields.md#dvcidtype)<br>- [DvcAction](normalization-common-fields.md#dvcaction)\| +\| Optional \| - [EventMessage](normalization-common-fields.md#eventmessage)<br> - [EventSubType](normalization-common-fields.md#eventsubtype)<br>- [EventOriginalUid](normalization-common-fields.md#eventoriginaluid)<br>- [EventOriginalType](normalization-common-fields.md#eventoriginaltype)<br>- [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype)<br>- [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails)<br> - [EventOriginalSeverity](normalization-common-fields.md#eventoriginalseverity) <br> - [EventProductVersion](normalization-common-fields.md#eventproductversion)<br> - [EventReportUrl](normalization-common-fields.md#eventreporturl)<br>- [DvcMacAddr](normalization-common-fields.md#dvcmacaddr)<br>- [DvcOs](normalization-common-fields.md#dvcos)<br>- [DvcOsVersion](normalization-common-fields.md#dvchostname)<br>- [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction)<br>- [DvcInterface](normalization-common-fields.md#dvcinterface)<br>- [AdditionalFields](normalization-common-fields.md#additionalfields)\| +\|\|\| + ### Updated property fields \| Field \| Class \| Type \| Description \| Some activities, such as UserCreated, GroupCreated, UserModified, an \| Field \| Class \| Type \| Description \| \|-\|-\|\|-\| -\| <a name="hostname"></a>Hostname \| Alias \| \| Alias to [DvcHostname](normalization-about-schemas.md#dvchostname). \| +\| <a name="hostname"></a>Hostname \| Alias \| \| Alias to [DvcHostname](normalization-common-fields.md#dvchostname). \| \|\|\|\|\|
sentinel	Web Normalization Schema	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/web-normalization-schema.md	Title: Microsoft Sentinel Web Session normalization schema reference (Public preview) \| Microsoft Docs + Title: The Advanced Security Information Model (ASIM) Web Session normalization schema reference (Public preview) \| Microsoft Docs description: This article displays the Microsoft Sentinel Web Session normalization schema. cloud: na -# Microsoft Sentinel Web Session normalization schema reference (Public preview) +# The Advanced Security Information Model (ASIM) Web Session normalization schema reference (Public preview) The Web Session normalization schema is used to describe an IP network activity. For example, IP network activities are reported by web servers, web proxies, and web security gateways. For example, to filter only Web sessions for a specified list of domain names, u ```kql let torProxies=dynamic(["tor2web.org", "tor2web.com", "torlink.co",...]); -imWebSession (url_has_any = torProxies) +_Im_WebSession (url_has_any = torProxies) ``` +> [!TIP] +> To pass a literal list to parameters that expect a dynamic value, explicitly use a [dynamic literal](/azure/data-explorer/kusto/query/scalar-data-types/dynamic#dynamic-literals.md). For example: `dynamic(['192.168.','10.'])`. +> + ## Schema details The Web Session information model is aligned with the [OSSEM Network entity schema](https://github.com/OTRF/OSSEM/blob/master/docs/cdm/entities/network.md) and the [OSSEM HTTP entity schema](https://github.com/OTRF/OSSEM/blob/master/docs/cdm/entities/http.md). Fields that describe the user and application associated with the source and des Other ASIM schemas typically use Target instead of Dst. -### Common fields +### Common ASIM fields + +> [!IMPORTANT] +> Fields common to all schemas are described in detail in the [ASIM Common Fields](normalization-common-fields.md) article. +> -Fields common to all schemas are described in the [ASIM schema overview](normalization-about-schemas.md#common). The following fields have specific guidelines for Web Session events: +#### Common fields with specific guidelines + +The following list mentions fields that have specific guidelines for Web Session events: \| Field \| Class \| Type \| Description \| \|\|-\|\|--\| Fields common to all schemas are described in the [ASIM schema overview](normali \| Dvc fields\| \| \| For Web Session events, device fields refer to the system reporting the Web Session event. \| \| \| \| \| \| +#### All common fields + +Fields that appear in the table below are common to all ASIM schemas. Any guideline specified above overrides the general guidelines for the field. For example, a field might be optional in general, but mandatory for a specific schema. For further details on each field, refer to the [ASIM Common Fields](normalization-common-fields.md) article. + +\| Class \| Fields \| +\| \| - \| +\| Mandatory \| - [EventCount](normalization-common-fields.md#eventcount)<br> - [EventStartTime](normalization-common-fields.md#eventstarttime)<br> - [EventEndTime](normalization-common-fields.md#eventendtime)<br> - [EventType](normalization-common-fields.md#eventtype)<br>- [EventResult](normalization-common-fields.md#eventresult)<br> - [EventProduct](normalization-common-fields.md#eventproduct)<br> - [EventVendor](normalization-common-fields.md#eventvendor)<br> - [EventSchema](normalization-common-fields.md#eventschema)<br> - [EventSchemaVersion](normalization-common-fields.md#eventschemaversion)<br> - [Dvc](normalization-common-fields.md#dvc)<br>\| +\| Recommended \| - [EventResultDetails](normalization-common-fields.md#eventresultdetails)<br>- [EventSeverity](normalization-common-fields.md#eventseverity)<br> - [DvcIpAddr](normalization-common-fields.md#dvcipaddr)<br> - [DvcHostname](normalization-common-fields.md#dvchostname)<br> - [DvcDomain](normalization-common-fields.md#dvcdomain)<br>- [DvcDomainType](normalization-common-fields.md#dvcdomaintype)<br>- [DvcFQDN](normalization-common-fields.md#dvcfqdn)<br>- [DvcId](normalization-common-fields.md#dvcid)<br>- [DvcIdType](normalization-common-fields.md#dvcidtype)<br>- [DvcAction](normalization-common-fields.md#dvcaction)\| +\| Optional \| - [EventMessage](normalization-common-fields.md#eventmessage)<br> - [EventSubType](normalization-common-fields.md#eventsubtype)<br>- [EventOriginalUid](normalization-common-fields.md#eventoriginaluid)<br>- [EventOriginalType](normalization-common-fields.md#eventoriginaltype)<br>- [EventOriginalSubType](normalization-common-fields.md#eventoriginalsubtype)<br>- [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails)<br> - [EventOriginalSeverity](normalization-common-fields.md#eventoriginalseverity) <br> - [EventProductVersion](normalization-common-fields.md#eventproductversion)<br> - [EventReportUrl](normalization-common-fields.md#eventreporturl)<br>- [DvcMacAddr](normalization-common-fields.md#dvcmacaddr)<br>- [DvcOs](normalization-common-fields.md#dvcos)<br>- [DvcOsVersion](normalization-common-fields.md#dvchostname)<br>- [DvcOriginalAction](normalization-common-fields.md#dvcoriginalaction)<br>- [DvcInterface](normalization-common-fields.md#dvcinterface)<br>- [AdditionalFields](normalization-common-fields.md#additionalfields)\| +\|\|\| + ### Network session fields HTTP sessions are application layer sessions that utilize TCP/IP as the underlying network layer session. The Web Session schema is a super set of [ASIM Network Session schema](network-normalization-schema.md) and all [Network Session Fields](network-normalization-schema.md#network-session-fields) are also included in the Web Session schema. The following ASIM Network Session schema fields have specific guidelines when used for a Web Session event: - The alias User should refer to the [SrcUsername](network-normalization-schema.md#srcusername) and not to [DstUsername](network-normalization-schema.md#dstusername).-- The field [EventOriginalResultDetails](normalization-about-schemas.md#eventoriginalresultdetails) can hold any result reported by the source in addition to the HTTP status code stored in [EventResultDetails](#eventresultdetails). +- The field [EventOriginalResultDetails](normalization-common-fields.md#eventoriginalresultdetails) can hold any result reported by the source in addition to the HTTP status code stored in [EventResultDetails](#eventresultdetails). - For Web Sessions, the primary destination field is the [Url Field](#url). The [DstDomain](network-normalization-schema.md#dstdomain) is optional rather than recommended. Specifically, if not available, there is no need to extract it from the URL in the parser. ### <a name="Intermediary"></a>Intermediary device fields The following are additional fields that are specific to web sessions: \| FileHashType \| Optional \| Enumerated \| The type of the hash in the [Hash](#hash) field. Possible values include: `MD5`, `SHA1`, `SHA256`, and `SHA512`. \| \| FileSize \| Optional \| Integer \| For HTTP uploads, the size in bytes of the uploaded file. \| \| FileContentType \| Optional \| String \| For HTTP uploads, the content type of the uploaded file. \| -\| RuleName \| Optional \| String \| The name or ID of the rule by which [DvcAction](normalization-about-schemas.md#dvcaction) was decided upon.<br><br>Example: `AnyAnyDrop`\| -\| RuleNumber \| Optional \| Integer \| The number of the rule by which [DvcAction](normalization-about-schemas.md#dvcaction) was decided upon.<br><br> Example: `23`\| +\| RuleName \| Optional \| String \| The name or ID of the rule by which [DvcAction](normalization-common-fields.md#dvcaction) was decided upon.<br><br>Example: `AnyAnyDrop`\| +\| RuleNumber \| Optional \| Integer \| The number of the rule by which [DvcAction](normalization-common-fields.md#dvcaction) was decided upon.<br><br> Example: `23`\| \| Rule \| Mandatory \| String \| Either `NetworkRuleName` or `NetworkRuleNumber`\| \| ThreatId \| Optional \| String \| The ID of the threat or malware identified in the Web session.<br><br>Example: `Tr.124`\| \| ThreatName \| Optional \| String \| The name of the threat or malware identified in the Web session.<br><br>Example: `EICAR Test File`\|
service-bus-messaging	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Service Bus Messaging description: Lists Azure Policy Regulatory Compliance controls available for Azure Service Bus Messaging. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
service-fabric	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Service Fabric description: Lists Azure Policy Regulatory Compliance controls available for Azure Service Fabric. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
spring-cloud	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-cloud/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Spring Cloud description: Lists Azure Policy Regulatory Compliance controls available for Azure Spring Cloud. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
storage	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Storage description: Lists Azure Policy Regulatory Compliance controls available for Azure Storage. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
stream-analytics	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Stream Analytics description: Lists Azure Policy Regulatory Compliance controls available for Azure Stream Analytics. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
synapse-analytics	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Synapse Analytics description: Lists Azure Policy Regulatory Compliance controls available for Azure Synapse Analytics. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
synapse-analytics	Synapse Workspace Ip Firewall	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/security/synapse-workspace-ip-firewall.md	Previously updated : 08/15/2021 Last updated : 02/25/2022 This article will explain IP firewall rules and teach you how to configure them ## IP firewall rules -IP firewall rules grant or deny access to your Synapse workspace based on the originating IP address of each request. You can configure IP firewall rules for your workspace. IP firewall rules configured at the workspace level apply to all public endpoints of the workspace (dedicated SQL pools, serverless SQL pool, and development). +IP firewall rules grant or deny access to your Azure Synapse workspace based on the originating IP address of each request. You can configure IP firewall rules for your workspace. IP firewall rules configured at the workspace level apply to all public endpoints of the workspace (dedicated SQL pools, serverless SQL pool, and development). ## Create and manage IP firewall rules There are two ways IP firewall rules are added to an Azure Synapse workspace. To :::image type="content" source="./media/synpase-workspace-ip-firewall/azure-synapse-workspace-networking-connections-all-ip-addresses.png" lightbox="./media/synpase-workspace-ip-firewall/azure-synapse-workspace-networking-connections-all-ip-addresses.png" alt-text="Screenshot that highlights the Security tab, and the 'Allow connections from all IP addresses' checkbox."::: - You can also add IP firewall rules to a Synapse workspace after the workspace is created. Select Firewalls under Security from Azure portal. To add a new IP firewall rule, give it a name, Start IP, and End IP. Select Save when done. +> [!NOTE] +> The Public network access feature is only available to Azure Synapse workspaces associated with Azure Synapse Analytics Managed Virtual Network. However, you can still open your Azure Synapse workspaces to the public network regardless of its association with managed VNet. For more information, see [Public network access](connectivity-settings.md#public-network-access). + :::image type="content" source="./media/synpase-workspace-ip-firewall/azure-synapse-workspace-networking-firewalls-add-client-ip.png" lightbox="./media/synpase-workspace-ip-firewall/azure-synapse-workspace-networking-firewalls-add-client-ip.png" alt-text="Screenshot of the Networking page of a Synapse Workspace, highlighting the Add client IP button and rules fields."::: -## Connect to Synapse from your own network +## Connect to Azure Synapse from your own network You can connect to your Synapse workspace using Synapse Studio. You can also use SQL Server Management Studio (SSMS) to connect to the SQL resources (dedicated SQL pools and serverless SQL pool) in your workspace. Make sure that the firewall on your network and local computer allows outgoing c Also, you need to allow outgoing communication on UDP port 53 for Synapse Studio. To connect using tools such as SSMS and Power BI, you must allow outgoing communication on TCP port 1433. +## Manage the Azure Synapse workspace firewall + +For more information on managing the firewall, see [the Azure SQL documentation to manage server-level firewalls](../../azure-sql/database/firewall-configure.md#create-and-manage-ip-firewall-rules). Azure Synapse only supports server-level IP firewall rules. It doesn't support database-level IP firewall rules. + +For more information on the methods to manage the firewall programmatically, see: +- [API](/rest/api/synapse/ip-firewall-rules) +- [PowerShell](/powershell/module/az.synapse/new-azsynapsefirewallrule) +- [Azure CLI](/cli/azure/sql/server/firewall-rule) ## Next steps
virtual-machines	Security Controls Policy Image Builder	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/security-controls-policy-image-builder.md	Title: Azure Policy Regulatory Compliance controls for Azure Image Builder description: Lists Azure Policy Regulatory Compliance controls available for Azure Image Builder. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
virtual-machines	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Virtual Machines description: Lists Azure Policy Regulatory Compliance controls available for Azure Virtual Machines . These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022
virtual-machines	Vm Applications How To	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/vm-applications-how-to.md	$appversion = Get-AzGalleryApplicationVersion ` $packageid = $appversion.Id $app = New-AzVmGalleryApplication -PackageReferenceId $packageid Add-AzVmGalleryApplication -VM $vmname -GalleryApplication $app -Update-AzVM -ResourceGroupName $rgname -VM $vmname +Update-AzVM -ResourceGroupName $rgname -VM $vm ``` Verify the application succeeded:
virtual-network	Security Controls Policy	https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/security-controls-policy.md	Title: Azure Policy Regulatory Compliance controls for Azure Virtual Network description: Lists Azure Policy Regulatory Compliance controls available for Azure Virtual Network. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 02/15/2022 Last updated : 03/10/2022