Framework/Configurations/SVT/Services/StreamAnalytics.json
|
{
"FeatureName": "StreamAnalytics", "Reference": "aka.ms/azsdkosstcp", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_StreamAnalytics_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "StreamAnalytics110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Remove any excessive privileges granted on the Stream Analytics. Assign 'Log Analytics Contributor' RBAC role to developers who manages Stream Analytics configurations. Run command: Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Refer: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_StreamAnalytics_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "StreamAnalytics120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days. Run command: Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable $true -StorageAccountId '{StorageAccountId}' -RetentionInDays $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled $true. Refer: https://docs.microsoft.com/en-us/azure/stream-analytics/stream-analytics-job-diagnostic-logs", "Tags": [ "SDL", "TCP", "Manual", "Audit", "Diagnostics" ], "Enabled": true }, { "ControlID": "Azure_StreamAnalytics_BCDR_Backup_Job_Queries", "Description": "Backup must be planned for Stream Analytics job queries.", "Id": "StreamAnalytics130", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Ensure the queries in the Stream Analytics Job has been backed up from a BC-DR standpoint.", "Tags": [ "SDL", "TCP", "Manual", "BCDR" ], "Enabled": true }, { "ControlID": "Azure_StreamAnalytics_Audit_Issue_Alert_Runtime_Errors_Failed_Functions", "Description": "Alert rules must be configured for Runtime Errors and Failed Functions", "Id": "StreamAnalytics140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckStreamAnalyticsMetricAlert", "Recommendation": "Run command: 'Add-AzureRmMetricAlertRule -MetricName 'Errors' -Operator 'GreaterThan' -Threshold '0' -TimeAggregationOperator 'Total' -WindowSize '00:05:00' -Actions '<New-AzureRmAlertRuleEmail -SendToServiceOwners>' -Name '<AlertName>' -ResourceGroup '<RGName>' -TargetResourceId '<TargetResourceId>' -Location '<Location>''. Run 'Get-Help Add-AzureRmMetricAlertRule -full' for more help. Note: Execute Add-AzureRmMetricAlertRule function again with 'AMLCalloutFailedRequests' MetricName.", "Tags": [ "SDL", "TCP", "Automated", "Audit" ], "Enabled": true }, { "ControlID": "Azure_StreamAnalytics_BCDR_Configure_Paired_Region", "Description": "Paired Regions should be configured for disaster recovery", "Id": "StreamAnalytics150", "ControlSeverity": "Low", "Automated": "No", "MethodName": "", "Recommendation": "Critical jobs of Stream Analytics should be deployed to both paired regions. In addition to Stream Analytics internal monitoring capabilities, customers are also advised to monitor the jobs. If a break is identified to be a result of the Stream Analytics service update, escalate appropriately and fail over any downstream consumers to the healthy job output. Escalation to support will prevent the paired region from being affected by the new deployment and maintain the integrity of the paired jobs. Refer: https://docs.microsoft.com/en-us/azure/stream-analytics/stream-analytics-job-reliability", "Tags": [ "SDL", "Best Practice", "Manual", "BCDR" ], "Enabled": true } ] } |