diff --git a/docs/en/rules/Azure.Defender.Storage.MalwareScan.md b/docs/en/rules/Azure.Defender.Storage.MalwareScan.md index 6413c7932c0..87a01fb9728 100644 --- a/docs/en/rules/Azure.Defender.Storage.MalwareScan.md +++ b/docs/en/rules/Azure.Defender.Storage.MalwareScan.md @@ -1,7 +1,7 @@ --- severity: Critical pillar: Security -category: Data protection +category: Tools resource: Microsoft Defender for Cloud online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Defender.Storage.MalwareScan/ --- @@ -48,22 +48,26 @@ For example: ```json { - "type": "Microsoft.Security/pricings", - "apiVersion": "2022-03-01", - "name": "StorageAccounts", - "properties": { - "pricingTier": "Standard", - "subPlan": "DefenderForStorageV2", - "extensions": [ - { - "name": "OnUploadMalwareScanning", - "isEnabled": "True", - "additionalExtensionProperties": { - "CapGBPerMonthPerStorageAccount": "5000" - } - } - ] - } + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "StorageAccounts", + "properties": { + "pricingTier": "Standard", + "subPlan": "DefenderForStorageV2", + "extensions": [ + { + "name": "OnUploadMalwareScanning", + "isEnabled": "True", + "additionalExtensionProperties": { + "CapGBPerMonthPerStorageAccount": "5000" + } + }, + { + "name": "SensitiveDataDiscovery", + "isEnabled": "True" + } + ] + } } ``` @@ -77,7 +81,7 @@ To enable Malware Scanning in Microsoft Defender for Storage: For example: ```bicep -resource defenderForStorage 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForStorage 'Microsoft.Security/pricings@2023-01-01' = { name: 'StorageAccounts' properties: { pricingTier: 'Standard' @@ -90,6 +94,10 @@ resource defenderForStorage 'Microsoft.Security/pricings@2022-03-01' = { CapGBPerMonthPerStorageAccount: '5000' } } + { + name: 'SensitiveDataDiscovery' + isEnabled: 'True' + } ] } } @@ -105,7 +113,7 @@ Malware Scanning is not supported for storage accounts with public network acces ## LINKS -- [Security operations in Azure](https://learn.microsoft.com/azure/architecture/framework/security/monitor-security-operations) +- [Azure security monitoring tools](https://learn.microsoft.com/azure/well-architected/security/monitor-tools) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Malware Scanning in Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-malware-scan) - [Limitations](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-malware-scan#limitations) diff --git a/docs/en/rules/Azure.Defender.Storage.SensitiveData.md b/docs/en/rules/Azure.Defender.Storage.SensitiveData.md index 0581cb67334..16b441be91e 100644 --- a/docs/en/rules/Azure.Defender.Storage.SensitiveData.md +++ b/docs/en/rules/Azure.Defender.Storage.SensitiveData.md @@ -1,7 +1,7 @@ --- severity: Critical pillar: Security -category: Data protection +category: Tools resource: Microsoft Defender for Cloud online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Defender.Storage.SensitiveData/ --- @@ -22,7 +22,7 @@ The sensitive data threat detection capability helps teams: - Identity where sensitive data is stored. - Detect possible security incidents resulting is data exposure. -When enabling sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. +When enabling sensitive data threat detection, the sensitive data categories include built-in sensitive information types (SITs) in the default list of Microsoft Purview. It is possible to customize the Data Sensitivity Discovery for a organization, by creating custom sensitive information types (SITs). Sensitive data threat detection in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones. @@ -44,19 +44,26 @@ For example: ```json { - "type": "Microsoft.Security/pricings", - "apiVersion": "2022-03-01", - "name": "StorageAccounts", - "properties": { - "pricingTier": "Standard", - "subPlan": "DefenderForStorageV2", - "extensions": [ - { - "name": "SensitiveDataDiscovery", - "isEnabled": "True", - } - ] - } + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "StorageAccounts", + "properties": { + "pricingTier": "Standard", + "subPlan": "DefenderForStorageV2", + "extensions": [ + { + "name": "OnUploadMalwareScanning", + "isEnabled": "True", + "additionalExtensionProperties": { + "CapGBPerMonthPerStorageAccount": "5000" + } + }, + { + "name": "SensitiveDataDiscovery", + "isEnabled": "True" + } + ] + } } ``` @@ -70,12 +77,19 @@ To enable sensitive data threat detection in Microsoft Defender for Storage: For example: ```bicep -resource defenderForStorage 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForStorage 'Microsoft.Security/pricings@2023-01-01' = { name: 'StorageAccounts' properties: { pricingTier: 'Standard' subPlan: 'DefenderForStorageV2' extensions: [ + { + name: 'OnUploadMalwareScanning' + isEnabled: 'True' + additionalExtensionProperties: { + CapGBPerMonthPerStorageAccount: '5000' + } + } { name: 'SensitiveDataDiscovery' isEnabled: 'True' @@ -91,11 +105,12 @@ This feature is currently in preview. The `DefenderForStorageV2` sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan, such as sensitive data threat detection. -Sensitive data threat detection is not supported for storage accounts with public network access set to disabled. Not all services within storage accounts are currently supported. +Sensitive data threat detection is not supported for storage accounts with public network access set to disabled. +Not all services within storage accounts are currently supported. ## LINKS -- [Security operations in Azure](https://learn.microsoft.com/azure/architecture/framework/security/monitor-security-operations) +- [Azure security monitoring tools](https://learn.microsoft.com/azure/well-architected/security/monitor-tools) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Sensitive data threat detection in Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-data-sensitivity) - [Support and prerequisites for data-aware security posture](https://learn.microsoft.com/azure/defender-for-cloud/concept-data-security-posture-prepare) diff --git a/docs/en/rules/Azure.Defender.Storage.md b/docs/en/rules/Azure.Defender.Storage.md index 08df7ab19ee..72adc6784bc 100644 --- a/docs/en/rules/Azure.Defender.Storage.md +++ b/docs/en/rules/Azure.Defender.Storage.md @@ -2,7 +2,7 @@ reviewed: 2023-18-05 severity: Critical pillar: Security -category: Data protection +category: Tools resource: Microsoft Defender for Cloud online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Defender.Storage/ --- @@ -45,13 +45,26 @@ For example: ```json { - "type": "Microsoft.Security/pricings", - "apiVersion": "2022-03-01", - "name": "StorageAccounts", - "properties": { - "pricingTier": "Standard", - "subPlan": "DefenderForStorageV2" - } + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "StorageAccounts", + "properties": { + "pricingTier": "Standard", + "subPlan": "DefenderForStorageV2", + "extensions": [ + { + "name": "OnUploadMalwareScanning", + "isEnabled": "True", + "additionalExtensionProperties": { + "CapGBPerMonthPerStorageAccount": "5000" + } + }, + { + "name": "SensitiveDataDiscovery", + "isEnabled": "True" + } + ] + } } ``` @@ -64,11 +77,24 @@ To enable Defender for Storage: For example: ```bicep -resource defenderForStorage 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForStorage 'Microsoft.Security/pricings@2023-01-01' = { name: 'StorageAccounts' properties: { pricingTier: 'Standard' subPlan: 'DefenderForStorageV2' + extensions: [ + { + name: 'OnUploadMalwareScanning' + isEnabled: 'True' + additionalExtensionProperties: { + CapGBPerMonthPerStorageAccount: '5000' + } + } + { + name: 'SensitiveDataDiscovery' + isEnabled: 'True' + } + ] } } ``` @@ -81,14 +107,16 @@ Set-AzSecurityPricing -Name 'StorageAccounts' -PricingTier 'Standard' -SubPlan ' ## NOTES -The `DefenderForStorageV2` sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan. The new plan includes more advanced capabilities that can help improve the security of the data and help prevent malicious file uploads, sensitive data exfiltration, and data corruption. Some features within the new plan is still in preview, but these are configurable. +The `DefenderForStorageV2` sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan. +The new plan includes more advanced capabilities that can help improve the security of the data and help prevent malicious file uploads, sensitive data exfiltration, and data corruption. +Some features within the new plan is still in preview, but these are configurable. Currently only the `Blob Storage`, `Azure Files` and `Azure Data Lake Storage Gen2` service is supported by Defender for Storage. ## LINKS -- [Storage security guide](https://learn.microsoft.com/azure/storage/blobs/security-recommendations?toc=%2Fazure%2Fsecurity%2Ffundamentals%2Ftoc.json&bc=%2Fazure%2Fsecurity%2Fbreadcrumb%2Ftoc.json) -- [Security operations in Azure](https://learn.microsoft.com/azure/architecture/framework/security/monitor-security-operations) +- [Azure security monitoring tools](https://learn.microsoft.com/azure/well-architected/security/monitor-tools) +- [Storage security guide](https://learn.microsoft.com/azure/storage/blobs/security-recommendations) - [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction) - [Overview of Microsoft Defender for Storage](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-introduction) - [Migrate from Defender for Storage (classic) to the new plan](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-classic-migrate) diff --git a/docs/en/rules/Azure.DefenderCloud.Contact.md b/docs/en/rules/Azure.DefenderCloud.Contact.md index af2fb5badb7..ee558dc431c 100644 --- a/docs/en/rules/Azure.DefenderCloud.Contact.md +++ b/docs/en/rules/Azure.DefenderCloud.Contact.md @@ -23,4 +23,6 @@ Consider configuring Microsoft Defender for Cloud email and phone contact detail ## LINK -- [Quickstart: Configure email notifications for security alerts](https://docs.microsoft.com/azure/defender-for-cloud/configure-email-notifications) +- [Security operations in Azure](https://learn.microsoft.com/azure/well-architected/security/monitor-security-operations#assign-incident-notification-contact) +- [Quickstart: Configure email notifications for security alerts](https://learn.microsoft.com/azure/defender-for-cloud/configure-email-notifications) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.security/securitycontacts) diff --git a/docs/examples-defender.bicep b/docs/examples-defender.bicep index 8699751b71c..effd86f064b 100644 --- a/docs/examples-defender.bicep +++ b/docs/examples-defender.bicep @@ -5,8 +5,26 @@ targetScope = 'subscription' // Bicep documentation examples +// Configures security contacts to be notified for Microsoft Defender alerts +resource securityContact 'Microsoft.Security/securityContacts@2020-01-01-preview' = { + name: 'default' + properties: { + notificationsByRole: { + roles: [ + 'Owner' + ] + state: 'On' + } + emails: 'security@contoso.com' + alertNotifications: { + minimalSeverity: 'High' + state: 'On' + } + } +} + // Configures Microsoft Defender for Containers. -resource defenderForContainers 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForContainers 'Microsoft.Security/pricings@2023-01-01' = { name: 'Containers' properties: { pricingTier: 'Standard' @@ -14,7 +32,7 @@ resource defenderForContainers 'Microsoft.Security/pricings@2022-03-01' = { } // Configures Microsoft Defender for Virtual Machines. -resource defenderForVirtualMachines 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForVirtualMachines 'Microsoft.Security/pricings@2023-01-01' = { name: 'VirtualMachines' properties: { pricingTier: 'Standard' @@ -23,7 +41,7 @@ resource defenderForVirtualMachines 'Microsoft.Security/pricings@2022-03-01' = { } // Configures Microsoft Defender for Sql Servers. -resource defenderForSqlServers 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForSqlServers 'Microsoft.Security/pricings@2023-01-01' = { name: 'SqlServers' properties: { pricingTier: 'Standard' @@ -31,7 +49,7 @@ resource defenderForSqlServers 'Microsoft.Security/pricings@2022-03-01' = { } // Configures Microsoft Defender for App Services. -resource defenderForAppServices 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForAppServices 'Microsoft.Security/pricings@2023-01-01' = { name: 'AppServices' properties: { pricingTier: 'Standard' @@ -39,15 +57,29 @@ resource defenderForAppServices 'Microsoft.Security/pricings@2022-03-01' = { } // Configures Microsoft Defender for Storage Accounts. -resource defenderForStorageAccounts 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForStorage 'Microsoft.Security/pricings@2023-01-01' = { name: 'StorageAccounts' properties: { pricingTier: 'Standard' + subPlan: 'DefenderForStorageV2' + extensions: [ + { + name: 'OnUploadMalwareScanning' + isEnabled: 'True' + additionalExtensionProperties: { + CapGBPerMonthPerStorageAccount: '5000' + } + } + { + name: 'SensitiveDataDiscovery' + isEnabled: 'True' + } + ] } } // Configures Azure Defender for Sql Server Virtual Machines. -resource defenderForSqlServerVirtualMachines 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForSqlServerVirtualMachines 'Microsoft.Security/pricings@2023-01-01' = { name: 'SqlServerVirtualMachines' properties: { pricingTier: 'Standard' @@ -55,7 +87,7 @@ resource defenderForSqlServerVirtualMachines 'Microsoft.Security/pricings@2022-0 } // Configures Microsoft Defender for Key Vaults. -resource defenderForKeyVaults 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForKeyVaults 'Microsoft.Security/pricings@2023-01-01' = { name: 'KeyVaults' properties: { pricingTier: 'Standard' @@ -63,7 +95,7 @@ resource defenderForKeyVaults 'Microsoft.Security/pricings@2022-03-01' = { } // Configures Microsoft Defender for Dns. -resource defenderForDns 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForDns 'Microsoft.Security/pricings@2023-01-01' = { name: 'Dns' properties: { pricingTier: 'Standard' @@ -71,7 +103,7 @@ resource defenderForDns 'Microsoft.Security/pricings@2022-03-01' = { } // Configures Microsoft Defender for Arm. -resource defenderForArm 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForArm 'Microsoft.Security/pricings@2023-01-01' = { name: 'Arm' properties: { pricingTier: 'Standard' @@ -79,7 +111,7 @@ resource defenderForArm 'Microsoft.Security/pricings@2022-03-01' = { } // Configures Microsoft Defender for Open Source Relational Databases. -resource defenderForOpenSourceRelationalDatabases 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForOpenSourceRelationalDatabases 'Microsoft.Security/pricings@2023-01-01' = { name: 'OpenSourceRelationalDatabases' properties: { pricingTier: 'Standard' @@ -87,7 +119,7 @@ resource defenderForOpenSourceRelationalDatabases 'Microsoft.Security/pricings@2 } // Configures Microsoft Defender for Cosmos Dbs. -resource defenderForCosmosDbs 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForCosmosDbs 'Microsoft.Security/pricings@2023-01-01' = { name: 'CosmosDbs' properties: { pricingTier: 'Standard' @@ -95,7 +127,7 @@ resource defenderForCosmosDbs 'Microsoft.Security/pricings@2022-03-01' = { } // Configures Microsoft Defender for CSPM. -resource defenderForCloudPosture 'Microsoft.Security/pricings@2022-03-01' = { +resource defenderForCloudPosture 'Microsoft.Security/pricings@2023-01-01' = { name: 'CloudPosture' properties: { pricingTier: 'Standard' diff --git a/docs/examples-defender.json b/docs/examples-defender.json index 35056f1a81e..c8afccc7b6d 100644 --- a/docs/examples-defender.json +++ b/docs/examples-defender.json @@ -4,22 +4,32 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.61.36676", - "templateHash": "13956112484547449048" + "version": "0.22.6.54827", + "templateHash": "9622669481012103945" } }, "resources": [ { - "type": "Microsoft.Security/pricings", - "apiVersion": "2018-06-01", - "name": "ContainerRegistry", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "name": "default", "properties": { - "pricingTier": "Standard" + "notificationsByRole": { + "roles": [ + "Owner" + ], + "state": "On" + }, + "emails": "security@contoso.com", + "alertNotifications": { + "minimalSeverity": "High", + "state": "On" + } } }, { "type": "Microsoft.Security/pricings", - "apiVersion": "2022-03-01", + "apiVersion": "2023-01-01", "name": "Containers", "properties": { "pricingTier": "Standard" @@ -27,7 +37,7 @@ }, { "type": "Microsoft.Security/pricings", - "apiVersion": "2022-03-01", + "apiVersion": "2023-01-01", "name": "VirtualMachines", "properties": { "pricingTier": "Standard", @@ -36,7 +46,7 @@ }, { "type": "Microsoft.Security/pricings", - "apiVersion": "2022-03-01", + "apiVersion": "2023-01-01", "name": "SqlServers", "properties": { "pricingTier": "Standard" @@ -44,7 +54,7 @@ }, { "type": "Microsoft.Security/pricings", - "apiVersion": "2022-03-01", + "apiVersion": "2023-01-01", "name": "AppServices", "properties": { "pricingTier": "Standard" @@ -52,19 +62,81 @@ }, { "type": "Microsoft.Security/pricings", - "apiVersion": "2022-03-01", + "apiVersion": "2023-01-01", "name": "StorageAccounts", "properties": { - "pricingTier": "Standard" + "pricingTier": "Standard", + "subPlan": "DefenderForStorageV2", + "extensions": [ + { + "name": "OnUploadMalwareScanning", + "isEnabled": "True", + "additionalExtensionProperties": { + "CapGBPerMonthPerStorageAccount": "5000" + } + }, + { + "name": "SensitiveDataDiscovery", + "isEnabled": "True" + } + ] } }, { "type": "Microsoft.Security/pricings", - "apiVersion": "2022-03-01", + "apiVersion": "2023-01-01", "name": "SqlServerVirtualMachines", "properties": { "pricingTier": "Standard" } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "KeyVaults", + "properties": { + "pricingTier": "Standard" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "Dns", + "properties": { + "pricingTier": "Standard" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "Arm", + "properties": { + "pricingTier": "Standard" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "OpenSourceRelationalDatabases", + "properties": { + "pricingTier": "Standard" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "CosmosDbs", + "properties": { + "pricingTier": "Standard" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "CloudPosture", + "properties": { + "pricingTier": "Standard" + } } ] -} +} \ No newline at end of file diff --git a/src/PSRule.Rules.Azure/Data/Policy/PolicyAssignmentVisitor.cs b/src/PSRule.Rules.Azure/Data/Policy/PolicyAssignmentVisitor.cs index 9374e4ac6b4..dbe4450bc82 100644 --- a/src/PSRule.Rules.Azure/Data/Policy/PolicyAssignmentVisitor.cs +++ b/src/PSRule.Rules.Azure/Data/Policy/PolicyAssignmentVisitor.cs @@ -825,8 +825,6 @@ private static bool ParametersEqual(PolicyAssignmentContext context, IParameterV if (typeA == ParameterType.Object && typeB == ParameterType.Object) return JToken.DeepEquals(JObject.FromObject(valueA), JObject.FromObject(valueB)); - // TODO: Handle more types - return true; } diff --git a/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1 index 3daa0ec329c..22c5d9882a7 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.ps1 @@ -7,6 +7,26 @@ #region Rules +# Synopsis: Microsoft Defender for Cloud email and phone contact details should be set +Rule 'Azure.DefenderCloud.Contact' -Alias 'Azure.SecurityCenter.Contact' -Ref 'AZR-000209' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { + Reason $LocalizedData.SecurityCenterNotConfigured; + $contacts = @(GetSubResources -ResourceType 'Microsoft.Security/securityContacts'); + $Null -ne $contacts -and $contacts.Length -gt 0; + foreach ($c in $contacts) { + $Assert.HasFieldValue($c, 'Properties.Email') + $Assert.HasFieldValue($c, 'Properties.Phone'); + } +} + +# Synopsis: Enable auto-provisioning on VMs to improve Microsoft Defender for Cloud insights +Rule 'Azure.DefenderCloud.Provisioning' -Alias 'Azure.SecurityCenter.Provisioning' -Ref 'AZR-000210' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-4' } { + $provisioning = @(GetSubResources -ResourceType 'Microsoft.Security/autoProvisioningSettings'); + $Null -ne $provisioning -and $provisioning.Length -gt 0; + foreach ($s in $provisioning) { + $Assert.HasFieldValue($s, 'Properties.autoProvision', 'On'); + } +} + # Synopsis: Enable Malware Scanning in Microsoft Defender for Storage. Rule 'Azure.Defender.Storage.MalwareScan' -Ref 'AZR-000383' -Type 'Microsoft.Security/pricings' -If { IsNotClassicStoragePlan } -Tag @{ release = 'Preview'; ruleSet = '2023_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-2', 'LT-1' } { $malwareConfigured = @($TargetObject.properties.extensions | @@ -29,7 +49,7 @@ Rule 'Azure.Defender.Storage.SensitiveData' -Ref 'AZR-000385' -Type 'Microsoft. function global:IsNotClassicStoragePlan { [CmdletBinding()] - param () + param () process { if ($PSRule.TargetName -eq 'StorageAccounts') { $TargetObject.properties.subPlan -eq 'DefenderForStorageV2' diff --git a/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 index b73dfbb0883..d1969b06b57 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 @@ -77,35 +77,6 @@ Rule 'Azure.RBAC.PIM' -Ref 'AZR-000208' -Type 'Microsoft.Subscription' -Tag @{ r #endregion RBAC -#region Security Center - -# Synopsis: Microsoft Defender for Cloud email and phone contact details should be set -Rule 'Azure.DefenderCloud.Contact' -Alias 'Azure.SecurityCenter.Contact' -Ref 'AZR-000209' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06' } { - Reason $LocalizedData.SecurityCenterNotConfigured; - $contacts = @(GetSubResources -ResourceType 'Microsoft.Security/securityContacts'); - $Null -ne $contacts -and $contacts.Length -gt 0; - foreach ($c in $contacts) { - $Assert.HasFieldValue($c, 'Properties.Email') - $Assert.HasFieldValue($c, 'Properties.Phone'); - } -} - -# TODO: Check Security Center recommendations - -# Synopsis: Enable auto-provisioning on VMs to improve Microsoft Defender for Cloud insights -Rule 'Azure.DefenderCloud.Provisioning' -Alias 'Azure.SecurityCenter.Provisioning' -Ref 'AZR-000210' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-4' } { - $provisioning = @(GetSubResources -ResourceType 'Microsoft.Security/autoProvisioningSettings'); - $Null -ne $provisioning -and $provisioning.Length -gt 0; - foreach ($s in $provisioning) { - $Assert.HasFieldValue($s, 'Properties.autoProvision', 'On'); - } -} - -#endregion Security Center - -# TODO: Use policy -# TODO: Use resource locks - #region Monitor # Synopsis: Configure Azure service logs