Skip to content

Commit ab183ef

Browse files
pilorpilor
authoredJan 29, 2020
Built-in Policy Release 0e226790 (#514)
* Built-in Policy Release 0e226790 * Add README back
1 parent eac12cb commit ab183ef

6 files changed

+631
-0
lines changed
 

‎built-in-policies/policyDefinitions/Monitoring/ActivityLog_AdministrativeOperations_Audit.json

+117
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
{
2+
"properties": {
3+
"displayName": "An activity log alert should exist for specific Administrative operations",
4+
"description": "This policy audits specific Administrative operations with no activity log alerts configured.",
5+
"policyType": "BuiltIn",
6+
"mode": "All",
7+
"metadata": {
8+
"version": "1.0.0",
9+
"category": "Monitoring"
10+
},
11+
"parameters": {
12+
"effect": {
13+
"type": "String",
14+
"metadata": {
15+
"displayName": "Effect",
16+
"description": "Enable or disable the execution of the policy"
17+
},
18+
"allowedValues": [
19+
"AuditIfNotExists",
20+
"Disabled"
21+
],
22+
"defaultValue": "AuditIfNotExists"
23+
},
24+
"operationName": {
25+
"type": "String",
26+
"metadata": {
27+
"displayName": "Operation Name",
28+
"description": "Administrative Operation name for which activity log alert should be configured"
29+
},
30+
"allowedValues": [
31+
"Microsoft.Sql/servers/firewallRules/write",
32+
"Microsoft.Sql/servers/firewallRules/delete",
33+
"Microsoft.Network/networkSecurityGroups/write",
34+
"Microsoft.Network/networkSecurityGroups/delete",
35+
"Microsoft.ClassicNetwork/networkSecurityGroups/write",
36+
"Microsoft.ClassicNetwork/networkSecurityGroups/delete",
37+
"Microsoft.Network/networkSecurityGroups/securityRules/write",
38+
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
39+
"Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write",
40+
"Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"
41+
]
42+
}
43+
},
44+
"policyRule": {
45+
"if": {
46+
"allOf": [
47+
{
48+
"field": "type",
49+
"equals": "Microsoft.Resources/subscriptions"
50+
}
51+
]
52+
},
53+
"then": {
54+
"effect": "[parameters('effect')]",
55+
"details": {
56+
"type": "Microsoft.Insights/ActivityLogAlerts",
57+
"existenceCondition": {
58+
"allOf": [
59+
{
60+
"field": "Microsoft.Insights/ActivityLogAlerts/enabled",
61+
"equals": "true"
62+
},
63+
{
64+
"count": {
65+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
66+
"where": {
67+
"anyOf": [
68+
{
69+
"allOf": [
70+
{
71+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
72+
"equals": "category"
73+
},
74+
{
75+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
76+
"equals": "Administrative"
77+
}
78+
]
79+
},
80+
{
81+
"allOf": [
82+
{
83+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
84+
"equals": "operationName"
85+
},
86+
{
87+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
88+
"equals": "[parameters('operationName')]"
89+
}
90+
]
91+
}
92+
]
93+
}
94+
},
95+
"equals": 2
96+
},
97+
{
98+
"not": {
99+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
100+
"equals": "category"
101+
}
102+
},
103+
{
104+
"not": {
105+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
106+
"equals": "operationName"
107+
}
108+
}
109+
]
110+
}
111+
}
112+
}
113+
}
114+
},
115+
"id": "/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a",
116+
"name": "b954148f-4c11-4c38-8221-be76711e194a"
117+
}

‎built-in-policies/policyDefinitions/Monitoring/ActivityLog_PolicyOperations_Audit.json

+113
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
{
2+
"properties": {
3+
"displayName": "An activity log alert should exist for specific Policy operations",
4+
"description": "This policy audits specific Policy operations with no activity log alerts configured.",
5+
"policyType": "BuiltIn",
6+
"mode": "All",
7+
"metadata": {
8+
"version": "1.0.0",
9+
"category": "Monitoring"
10+
},
11+
"parameters": {
12+
"effect": {
13+
"type": "String",
14+
"metadata": {
15+
"displayName": "Effect",
16+
"description": "Enable or disable the execution of the policy"
17+
},
18+
"allowedValues": [
19+
"AuditIfNotExists",
20+
"Disabled"
21+
],
22+
"defaultValue": "AuditIfNotExists"
23+
},
24+
"operationName": {
25+
"type": "String",
26+
"metadata": {
27+
"displayName": "Operation Name",
28+
"description": "Policy Operation name for which activity log alert should exist"
29+
},
30+
"allowedValues": [
31+
"Microsoft.Authorization/policyAssignments/write",
32+
"Microsoft.Authorization/policyAssignments/delete"
33+
]
34+
}
35+
},
36+
"policyRule": {
37+
"if": {
38+
"allOf": [
39+
{
40+
"field": "type",
41+
"equals": "Microsoft.Resources/subscriptions"
42+
}
43+
]
44+
},
45+
"then": {
46+
"effect": "[parameters('effect')]",
47+
"details": {
48+
"type": "Microsoft.Insights/ActivityLogAlerts",
49+
"existenceCondition": {
50+
"allOf": [
51+
{
52+
"field": "Microsoft.Insights/ActivityLogAlerts",
53+
"exists": "true"
54+
},
55+
{
56+
"field": "Microsoft.Insights/ActivityLogAlerts/enabled",
57+
"equals": "true"
58+
},
59+
{
60+
"count": {
61+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
62+
"where": {
63+
"anyOf": [
64+
{
65+
"allOf": [
66+
{
67+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
68+
"equals": "category"
69+
},
70+
{
71+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
72+
"equals": "Policy"
73+
}
74+
]
75+
},
76+
{
77+
"allOf": [
78+
{
79+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
80+
"equals": "operationName"
81+
},
82+
{
83+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
84+
"equals": "[parameters('operationName')]"
85+
}
86+
]
87+
}
88+
]
89+
}
90+
},
91+
"equals": 2
92+
},
93+
{
94+
"not": {
95+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
96+
"equals": "category"
97+
}
98+
},
99+
{
100+
"not": {
101+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
102+
"equals": "operationName"
103+
}
104+
}
105+
]
106+
}
107+
}
108+
}
109+
}
110+
},
111+
"id": "/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858",
112+
"name": "c5447c04-a4d7-4ba8-a263-c9ee321a6858"
113+
}

‎built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json

+110
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,110 @@
1+
{
2+
"properties": {
3+
"displayName": "An activity log alert should exist for specific Security operations",
4+
"description": "This policy audits specific Security operations with no activity log alerts configured.",
5+
"policyType": "BuiltIn",
6+
"mode": "All",
7+
"metadata": {
8+
"version": "1.0.0",
9+
"category": "Monitoring"
10+
},
11+
"parameters": {
12+
"effect": {
13+
"type": "String",
14+
"metadata": {
15+
"displayName": "Effect",
16+
"description": "Enable or disable the execution of the policy"
17+
},
18+
"allowedValues": [
19+
"AuditIfNotExists",
20+
"Disabled"
21+
],
22+
"defaultValue": "AuditIfNotExists"
23+
},
24+
"operationName": {
25+
"type": "String",
26+
"metadata": {
27+
"displayName": "Operation Name",
28+
"description": "Security Operation name for which activity log alert should exist"
29+
},
30+
"allowedValues": [
31+
"Microsoft.Security/policies/write",
32+
"Microsoft.Security/securitySolutions/write",
33+
"Microsoft.Security/securitySolutions/delete"
34+
]
35+
}
36+
},
37+
"policyRule": {
38+
"if": {
39+
"allOf": [
40+
{
41+
"field": "type",
42+
"equals": "Microsoft.Resources/subscriptions"
43+
}
44+
]
45+
},
46+
"then": {
47+
"effect": "[parameters('effect')]",
48+
"details": {
49+
"type": "Microsoft.Insights/ActivityLogAlerts",
50+
"existenceCondition": {
51+
"allOf": [
52+
{
53+
"field": "Microsoft.Insights/ActivityLogAlerts/enabled",
54+
"equals": "true"
55+
},
56+
{
57+
"count": {
58+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
59+
"where": {
60+
"anyOf": [
61+
{
62+
"allOf": [
63+
{
64+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
65+
"equals": "category"
66+
},
67+
{
68+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
69+
"equals": "Security"
70+
}
71+
]
72+
},
73+
{
74+
"allOf": [
75+
{
76+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
77+
"equals": "operationName"
78+
},
79+
{
80+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
81+
"equals": "[parameters('operationName')]"
82+
}
83+
]
84+
}
85+
]
86+
}
87+
},
88+
"equals": 2
89+
},
90+
{
91+
"not": {
92+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
93+
"equals": "category"
94+
}
95+
},
96+
{
97+
"not": {
98+
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
99+
"equals": "operationName"
100+
}
101+
}
102+
]
103+
}
104+
}
105+
}
106+
}
107+
},
108+
"id": "/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052",
109+
"name": "3b980d31-7904-4bb7-8575-5665739a8052"
110+
}

0 commit comments

Comments
 (0)
Please sign in to comment.