Framework/Configurations/SVT/ControlSettings.json
|
{
"Diagnostics_RetentionPeriod_Min": 365, "Diagnostics_RetentionPeriod_Forever": 0, "KeyVault": { "KeyRotationDuration_Days": 365, "SecretRotationDuration_Days": 180, "KeyType": "RSA-HSM", "ADAppCredentialTypeCrt": "AsymmetricX509Cert", "ADAppCredentialTypePwd": "Password", "MaxRecommendedVersions": 3 }, "SqlServer": { "AuditRetentionPeriod_Min": 365, "AuditRetentionPeriod_Forever": 0 }, "AnalysisService": { "Max_Admin_Count": 2 }, "ERvNet": { "ResourceLockLevel": "ReadOnly", "WhiteListedRGs" : ["ERNetwork-LAB"], "WhiteListedRemoteVirtualNetworkId" : "", "WhiteListedaddressPrefix" : "0.0.0.0/0", "WhiteListednextHopType": "VirtualAppliance" }, "Databricks": { "Tenant_Domain": "microsoft.com" }, "KubernetesService": { "kubernetesVersion": ["1.15.12","1.16.13" ,"1.17.9"] }, "APIManagement": { "AllowedIdentityProvider": [ "Aad" ], "UnsecureProtocolsAndCiphersConfiguration": [ "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10", "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11", "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30", "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10", "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11", "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30", "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168" ], "MaxAllowedAPICount": 30 }, "VirtualMachine": { "Windows": { "SupportedSkuList": [], "ManagementPortList": [ { "Name": "RDP", "Port": 3389 }, { "Name": "WINRM", "Port": 5985 } ], "BaselineIds": [], "ASCRecommendations": [ "EncryptionOnVm", "InstallAntimalware", "VulnerabilityAssessmentDeployment" ], "ASCApprovedPatchingHealthStatuses": [ "Healthy" ], "ASCApprovedBaselineStatuses": [ "Healthy" ], "QueryforBaselineRule": [ "SecurityBaseline | where TimeGenerated >ago(1d) | where ResourceId =~ \"{0}\" | summarize arg_max(TimeGenerated,*)by Description| where AnalyzeResult == \"Failed\" " ], "QueryforMissingPatches": [ "Update | where TimeGenerated >ago(1d) |where UpdateState =~ \"Needed\" and iff(isnotnull(toint(Optional)), Optional == false, Optional == \"false\") == true and iff(isnotnull(toint(Approved)), Approved != false, Approved != \"false\") == true and (Classification == \"Security Updates\" or Classification == \"Critical Updates\") and ResourceId =~ \"{0}\"| summarize AggregatedValue =dcount(UpdateID) by UpdateID,Title |limit 1000000000 " ], "VulnAssessmentSolution":{ "AgentName": "QualysAgent", "RequiredVersion":"1.6.4.9" }, "GuestExtension": { "Name": "ConfigurationForWindows", "RequiredVersion": "1.11.0.0", "AssignmentName" : "SMSClientStatus", "CheckPolicyAssignment":false }, "RequiredExtensions": [ { "ExtensionType": "ConfigurationForWindows", "Publisher": "Microsoft.GuestConfiguration" }, { "ExtensionType": "QualysAgent", "Publisher": "Qualys" }, { "ExtensionType": "IaaSDiagnostics", "Publisher": "Microsoft.Azure.Diagnostics" }, { "ExtensionType": "MicrosoftMonitoringAgent", "Publisher": "Microsoft.EnterpriseCloud.Monitoring" } ], "RequiredGuestConfigPolicies":{ "RequiredPolicyDefinitionIds" : [], "RequiredPolicySetDefinitionIds" : [] } }, "Linux": { "SupportedSkuList": [], "ManagementPortList": [ { "Name": "RDP", "Port": 3389 }, { "Name": "SSH", "Port": 22 } ], "BaselineIds": [], "ASCRecommendations": [], "ASCApprovedPatchingHealthStatuses": [ "Healthy" ], "ASCApprovedBaselineStatuses": [ "Healthy" ], "QueryforBaselineRule": [ "SecurityBaseline | where TimeGenerated >ago(1d) | where ResourceId =~ \"{0}\" | summarize arg_max(TimeGenerated,*)by Description| where AnalyzeResult == \"Failed\" " ], "QueryforMissingPatches": [ "Update | where TimeGenerated >ago(1d) |where UpdateState =~ \"Needed\" and iff(isnotnull(toint(Optional)), Optional == false, Optional == \"false\") == true and iff(isnotnull(toint(Approved)), Approved != false, Approved != \"false\") == true and (Classification == \"Security Updates\" or Classification == \"Critical Updates\") and ResourceId =~ \"{0}\"| summarize AggregatedValue =dcount(UpdateID) by UpdateID,Title |limit 1000000000 " ], "QueryForLinuxAntimalwareStatus": ["ProtectionStatus | where TimeGenerated > ago(7d) and TypeofProtection == \"Sophos Anti-Virus\" and ResourceId contains \"{0}\" | summarize arg_max(TimeGenerated, *)"], "VulnAssessmentSolution": { "AgentName": "QualysAgentLinux", "RequiredVersion": "1.6.0.96" }, "GuestExtension": { "Name": "ConfigurationForLinux", "RequiredVersion": "1.9.0", "AssignmentName" : "SMSClientStatus", "CheckPolicyAssignment": false }, "RequiredExtensions": [ { "ExtensionType": "ConfigurationForLinux", "Publisher": "Microsoft.GuestConfiguration" }, { "ExtensionType": "QualysAgentLinux", "Publisher": "Qualys" }, { "ExtensionType": "LinuxDiagnostic", "Publisher": "Microsoft.Azure.Diagnostics" }, { "ExtensionType": "OmsAgentForLinux", "Publisher": "Microsoft.EnterpriseCloud.Monitoring" } ], "RequiredGuestConfigPolicies":{ "RequiredPolicyDefinitionIds" : [], "RequiredPolicySetDefinitionIds" : [] } }, "Windows_OS_Baseline_Ids": [], "ASCPolicies": { "PolicyAssignment": { "EndpointProtection": "Install endpoint protection solution on your machines", "EndpointProtectionAssessmentKey": "83f577bd-a1b6-b7e1-0891-12ca19d1e6df", "DiskEncryption": "Apply Disk Encryption on your virtual machines", "DiskEncryptionAssessmentKey": "d57a4221-a804-52ca-3dea-768284f06bb7", "VulnerabilityScan": "Remediate vulnerabilities in security configuration on your machines", "VulnerabilityScanAssessmentKey": "181ac480-f7c4-544b-9865-11b8ffe87f47", "OSUpdates": "Install system updates on your machines", "OSUpdatesAssessmentKey": "4ab6e3c5-74dd-8b35-9ab9-f61b30875b27", "MonitoringAgent": "Install monitoring agent on your machines", "MonitoringAgentAssessmentKey": "d1db3318-01ff-16de-29eb-28b344515626" }, "ResourceDetailsKeys": { "WorkspaceId": "Reporting workspace customer id", "WorkspaceResourceId": "Reporting workspace azure id" }, "ASCAssessmentsForIrrelevantRecommendation" : { "EndpointProtectionAssessmentKey" : { "AssessmentName" : "83f577bd-a1b6-b7e1-0891-12ca19d1e6df", "AllowedCauses" : ["SecurityApplianceNonRelevantRecommendation", "SecurityApplianceIrrelevantRecommendation"] }, "VulnerabilitySolutionAssessmentKey":{ "AssessmentName" : "ffff0522-1e88-47fc-8382-2a80ba848f5d", "AllowedCauses" : ["SecurityApplianceNonRelevantRecommendation","SecurityApplianceIrrelevantRecommendation"] } } }, "ControlExclusionsByService" : [ { "ControlTag" : "ExcludeDatabricks", "ResourceTag": "Vendor", "ResourceTagValue" :"Databricks", "ServiceType" : "Databricks" }, { "ControlTag" : "ExcludeKubernetes", "ResourceTag": "orchestrator", "ResourceTagValue" :"Kubernetes*", "ServiceType" : "Kubernetes" } ] }, "VirtualMachineScaleSet": { "Windows": { "SupportedSkuList": [], "ManagementPortList": [ { "Name": "RDP", "Port": 3389 }, { "Name": "WINRM", "Port": 5985 } ] }, "Linux": { "SupportedSkuList": [], "ManagementPortList": [ { "Name": "RDP", "Port": 3389 }, { "Name": "SSH", "Port": 22 } ] }, "ControlExclusionsByService" : [ { "ControlTag" : "ExcludeServiceFabric", "ResourceTag": "resourceType", "ResourceTagValue" :"Service Fabric", "ServiceType" : "ServiceFabric" }, { "ControlTag" : "ExcludeKubernetes", "ResourceTag": "orchestrator", "ResourceTagValue" :"Kubernetes*", "ServiceType" : "Kubernetes" } ] }, "NoOfApprovedAdmins": 5, "NoOfClassicAdminsLimit": 2, "CriticalPIMRoles": { "Subscription" : [ "Owner", "Contributor", "User Access Administrator" ], "ResourceGroup" : [ "Owner", "User Access Administrator" ] }, "ExemptedPIMGroups": { "DisplayName" : "JIT_*_ElevatedAccess" }, "CheckPIMCAPolicyTags": false, "PIMCAPolicyTags":[], "PIMAppId":"01fc33a7-78ba-4d2f-a4b7-768e336e890e", "ASCAlertsSeverityLevels": [ "High" ], "ASCAlertsThresholdInDays": { "High": 0, "Medium": 30 }, "WhitelistedMgmtCerts": { "Thumbprints": [], "ApprovedValidityRangeInDays": 732 }, "WhitelistedPermanentRoles": [ { "DisplayName": "MS-PIM" } ], "WhitelistedCustomRBACRoles": [ { "Id": "21d96096-b162-414a-8302-d8354f9d91b2", "Name": "Azure Service Deploy Release Management Contributor" }, { "Id": "9f15f5f5-77bd-413a-aa88-4b9c68b1e7bc", "Name": "GenevaWarmPathResourceContributor" }, { "Id": "7fd64851-3279-459b-b614-e2b2ba760f5b", "Name": "Office DevOps" }, { "Id": "a48d7796-14b4-4889-afef-fbb65a93e5a2", "Name": "masterreader" } ], "UniversalIPRange": "0.0.0.0-255.255.255.255", "IPRangeStartIP": "0.0.0.0", "IPRangeEndIP": "255.255.255.255", "MetricAlert": { "Actions": { "SendToServiceOwners": true }, "Batch": [ { "Condition": { "DataSource": { "MetricName": "PoolDeleteCompleteEvent" }, "OperatorProperty": "GreaterThan", "Threshold": 0, "TimeAggregation": "Total", "WindowSize": "01:00:00" }, "IsEnabled": true }, { "Condition": { "DataSource": { "MetricName": "PoolDeleteStartEvent" }, "OperatorProperty": "GreaterThan", "Threshold": 0, "TimeAggregation": "Total", "WindowSize": "01:00:00" }, "IsEnabled": true } ], "Storage": [ { "Condition": { "MetricName": "Transactions", "OperatorProperty": "GreaterThan", "Threshold": 0, "TimeAggregation": "Total", "Dimensions":{ "Name" : "Authentication", "OperatorProperty" : "Include", "Values" : "Anonymous" }, "WindowSize": "01:00:00", "Frequency": "01:00:00", "IsEnabled": true } } ], "StreamAnalytics": [ { "Condition": { "DataSource": { "MetricName": "AMLCalloutFailedRequests" }, "OperatorProperty": "GreaterThan", "Threshold": 0, "TimeAggregation": "Total", "WindowSize": "00:05:00" }, "IsEnabled": true }, { "Condition": { "DataSource": { "MetricName": "Errors" }, "OperatorProperty": "GreaterThan", "Threshold": 0, "TimeAggregation": "Total", "WindowSize": "00:05:00" }, "IsEnabled": true } ], "APIManagement": [ { "Condition": { "DataSource": { "MetricName": "UnauthorizedRequests" }, "OperatorProperty": "GreaterThan", "Threshold": 0, "TimeAggregation": "Total", "WindowSize": "01:00:00" }, "IsEnabled": true } ] }, "StorageKindMapping": [ { "Kind": "BlobStorage", "Services": [ "blob" ], "DiagnosticsLogServices": [ "blob" ] }, { "Kind": "Storage", "Services": [ "blob", "file", "queue", "table" ], "DiagnosticsLogServices": [ "blob", "queue", "table" ] }, { "Kind": "StorageV2", "Services": [ "blob", "file", "queue", "table" ], "DiagnosticsLogServices": [ "blob", "queue", "table" ] } ], "AppService": { "Backup_RetentionPeriod_Min": 365, "Backup_RetentionPeriod_Forever": 0, "LatestDotNetFrameworkVersionNumber": "v4.0", "Minimum_Instance_Count": 2, "TLS_Version" : "1.2", "AADAuthAPIVersion": "2016-08-01", "LoadCertAppSettings": "WEBSITE_LOAD_CERTIFICATES", "NonAADAuthProperties": [ "googleClientId", "facebookAppId", "twitterConsumerKey", "microsoftAccountClientId" ], "AllowedAuthenticationProviders": [ ] }, "DataBricksFilters":{ "TagName": "Vendor", "TagValue": "Databricks" }, "StorageDiagnosticsSkuMapping": [ "Standard_GRS", "Standard_LRS", "Standard_RAGRS", "Standard_ZRS" ], "StorageAlertSkuMapping": [ "Standard_GRS", "Standard_LRS", "Standard_RAGRS" ], "StorageGeoRedundantSku": [ "Standard_GRS", "Standard_RAGRS" ], "LockedResourcesTags": [ { "TagName": "application", "TagValue": "databricks" } ], "RedisCache": { "FirewallApplicableSku": [ "Premium" ], "RDBBackApplicableSku": [ "Premium" ] }, "CosmosDb": { "Firewall": { "IpLimitPerDb": 2048, "IpLimitPerRange": 256 } }, "Automation": { "WebhookValidityInDays": 60, "variablesToSkip": ["AppResourceGroupNames", "ReportsStorageAccountName", "UpdateToLatestAzSKVersion", "OMSSharedKey", "OMSWorkspaceId", "AltOMSWorkspaceId", "AltOMSSharedKey", "LAWSId", "LAWSSharedKey", "AltLAWSId", "AltLAWSSharedKey", "WebhookAuthZHeaderName", "WebhookUrl"] }, "AllowedResourceTypesForMetadataCapture":["AppService", "VirtualMachine","DataFactory","DataFactoryV2"], "BaselineControls": { "ResourceTypeControlIdMappingList": [ ], "SubscriptionControlIdList": [], "ExpiryInDays": 2, "SupportedSources": [] }, "PreviewBaselineControls": { "ResourceTypeControlIdMappingList": [ ], "SubscriptionControlIdList": [ ], "ExpiryInDays": 2, "SupportedSources": [] }, "ControlsToExcludeFromScan": { "TenantIds": [], "ControlIds" : [], "ExclusionWarningMessage" : "", "ExclusionHelpLink": "" }, "CloudService": { "LatestOSSKUIDs": [ "WA-GUEST-OS-4.44_201707-01" ] }, "AttestationExpiryPeriodInDays": { "Default": 90, "ControlSeverity": { "Critical": 7, "High": 30, "Medium": 60, "Low": 90 } }, "AttestationTrimIntervalDays":{ "Days" : 30 }, "PurgeAttestationbackupAfterDays":{ "Days" : 90 }, "SubscriptionCore": { "EnableV1AlertFailure": false, "ASCTier": ["Standard"], "Standard" : ["VirtualMachines","SqlServers","AppServices","StorageAccounts"], "credHighTH": 7, "credModerateTH": 30, "NonADIdentitiesPatterns" : ["(.)*#ext#@(.)*.onmicrosoft.com"], "WhitelistedNonADIndentitiesPatterns" : [] }, "HDInsight": { "MinSupportedClusterVersion": "3.6.0" }, "EventHubOutput": { "TokenTimeOut": 1800, "TimeOut": 60, "APIVersion": "2014-01" }, "DefaultValidAttestationStates": [ "NotAnIssue", "WillFixLater", "WillNotFix" ], "NewControlGracePeriodInDays": { "Default": 30, "ControlSeverity": { "Critical": 30, "High": 30, "Medium": 30, "Low": 30 } }, "AttestationPeriodInDays": { "Default": 90, "ControlSeverity": { "Critical": 7, "High": 30, "Medium": 60, "Low": 90 } }, "DefaultAttestationPeriodForExemptControl": 180, "ResultComplianceInDays": { "DefaultControls": 3, "OwnerAccessControls": 90 }, "ControlSeverity": { "Critical": "Critical", "High": "High", "Medium": "Medium", "Low": "Low" }, "MandatoryTags":[ ], "WhitelistedResourceGroups": [], "InClusterCA": { "AKS":{ "RequiredImagePath": "azskteam/azsk-aks", "RequiredImageTag": "latest" } }, "PublicIpAddress": { "EnablePublicIpResource": false }, "ExtendedAttestationExpiry" : 180, "SeverityForSecContactAlerts": ["Medium","Low"], "MaxResourceInventoryObjectsCount": 20000, "AlernateAccountRegularExpressionForOrg": "", "PrivilegedRolesForSub" : ["Owner" , "Contributor" , "User Access Administrator"], "GenerateSecurityEvaluationJsonFile": false } |