diff --git a/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Linux_HybridVM_DINE.json b/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Linux_HybridVM_DINE.json index 88dc46da1..9f3281d44 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Linux_HybridVM_DINE.json +++ b/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Linux_HybridVM_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Monitoring" }, - "version": "2.0.0", + "version": "2.1.0", "parameters": { "effect": { "type": "string", @@ -76,7 +76,8 @@ "variables": { "vmExtensionName": "DependencyAgentLinux", "vmExtensionPublisher": "Microsoft.Azure.Monitoring.DependencyAgent", - "vmExtensionType": "DependencyAgentLinux" + "vmExtensionType": "DependencyAgentLinux", + "vmExtensionTypeHandlerVersion": "9.10" }, "resources": [ { @@ -87,6 +88,9 @@ "properties": { "publisher": "[variables('vmExtensionPublisher')]", "type": "[variables('vmExtensionType')]", + "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, "settings": {} } } @@ -112,6 +116,7 @@ } }, "versions": [ + "2.1.0", "2.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json b/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json index 1ffbdb002..ecdda9b7c 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json @@ -1,15 +1,14 @@ { "properties": { - "displayName": "[Preview]: Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings", + "displayName": "Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings", "policyType": "BuiltIn", "mode": "Indexed", "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.", "metadata": { - "version": "1.1.1-preview", - "category": "Monitoring", - "preview": true + "version": "1.2.0", + "category": "Monitoring" }, - "version": "1.1.1-preview", + "version": "1.2.0", "parameters": { "effect": { "type": "string", @@ -93,7 +92,8 @@ "variables": { "vmExtensionName": "DependencyAgentLinux", "vmExtensionPublisher": "Microsoft.Azure.Monitoring.DependencyAgent", - "vmExtensionType": "DependencyAgentLinux" + "vmExtensionType": "DependencyAgentLinux", + "vmExtensionTypeHandlerVersion": "9.10" }, "resources": [ { @@ -104,6 +104,9 @@ "properties": { "publisher": "[variables('vmExtensionPublisher')]", "type": "[variables('vmExtensionType')]", + "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, "settings": { "enableAMA": "true" } @@ -131,6 +134,7 @@ } }, "versions": [ + "1.2.0", "1.1.1-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Windows_HybridVM_DINE.json b/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Windows_HybridVM_DINE.json index 16a71635e..be3c0a0ce 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Windows_HybridVM_DINE.json +++ b/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Windows_HybridVM_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Monitoring" }, - "version": "2.0.0", + "version": "2.1.0", "parameters": { "effect": { "type": "string", @@ -75,7 +75,8 @@ }, "variables": { "DaExtensionName": "DependencyAgentWindows", - "DaExtensionType": "DependencyAgentWindows" + "DaExtensionType": "DependencyAgentWindows", + "DaExtensionTypeHandlerVersion": "9.10" }, "resources": [ { @@ -86,6 +87,8 @@ "properties": { "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", "type": "[variables('DaExtensionType')]", + "typeHandlerVersion": "[variables('DaExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, "autoUpgradeMinorVersion": true, "settings": {} } @@ -112,6 +115,7 @@ } }, "versions": [ + "2.1.0", "2.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json b/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json index 7acb8bc98..25b9a13f8 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Azure Government/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json @@ -1,15 +1,14 @@ { "properties": { - "displayName": "[Preview]: Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings", + "displayName": "Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings", "policyType": "BuiltIn", "mode": "Indexed", "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.", "metadata": { - "version": "1.1.1-preview", - "category": "Monitoring", - "preview": true + "version": "1.2.0", + "category": "Monitoring" }, - "version": "1.1.1-preview", + "version": "1.2.0", "parameters": { "effect": { "type": "string", @@ -92,7 +91,8 @@ }, "variables": { "DaExtensionName": "DependencyAgentWindows", - "DaExtensionType": "DependencyAgentWindows" + "DaExtensionType": "DependencyAgentWindows", + "DaExtensionTypeHandlerVersion": "9.10" }, "resources": [ { @@ -103,6 +103,8 @@ "properties": { "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", "type": "[variables('DaExtensionType')]", + "typeHandlerVersion": "[variables('DaExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, "autoUpgradeMinorVersion": true, "settings": { "enableAMA": "true" @@ -131,6 +133,7 @@ } }, "versions": [ + "1.2.0", "1.1.1-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_Audit.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_Audit.json index 8399cad7f..3701b39be 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_Audit.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_Audit.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview.", "metadata": { - "version": "3.2.0", + "version": "3.3.0", "category": "Monitoring" }, - "version": "3.2.0", + "version": "3.3.0", "parameters": { "effect": { "type": "String", @@ -386,7 +386,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "almalinux" + "like": "almalinux*" }, { "anyOf": [ @@ -510,6 +510,7 @@ } }, "versions": [ + "3.3.0", "3.2.0", "3.1.0" ] diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_DINE.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_DINE.json index 4e9986048..1d7b2c406 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.", "metadata": { - "version": "3.5.0", + "version": "3.6.0", "category": "Monitoring" }, - "version": "3.5.0", + "version": "3.6.0", "parameters": { "effect": { "type": "String", @@ -390,7 +390,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "almalinux" + "like": "almalinux*" }, { "anyOf": [ @@ -563,6 +563,7 @@ } }, "versions": [ + "3.6.0", "3.5.0", "3.4.0", "3.3.0" diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_UAI_DINE.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_UAI_DINE.json index 01b8880df..4cd71e998 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_UAI_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_UAI_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.", "metadata": { - "version": "3.7.0", + "version": "3.8.0", "category": "Monitoring" }, - "version": "3.7.0", + "version": "3.8.0", "parameters": { "effect": { "type": "String", @@ -444,7 +444,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "almalinux" + "like": "almalinux*" }, { "anyOf": [ @@ -631,6 +631,7 @@ } }, "versions": [ + "3.8.0", "3.7.0", "3.6.0", "3.5.0", diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_Audit.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_Audit.json index bc49fe723..ff4146908 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_Audit.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_Audit.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview.", "metadata": { - "version": "3.2.0", + "version": "3.3.0", "category": "Monitoring" }, - "version": "3.2.0", + "version": "3.3.0", "parameters": { "effect": { "type": "String", @@ -386,7 +386,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "almalinux" + "like": "almalinux*" }, { "anyOf": [ @@ -510,6 +510,7 @@ } }, "versions": [ + "3.3.0", "3.2.0", "3.1.0" ] diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_DINE.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_DINE.json index b8aaf2d7d..f2f71ddd6 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.", "metadata": { - "version": "3.5.0", + "version": "3.6.0", "category": "Monitoring" }, - "version": "3.5.0", + "version": "3.6.0", "parameters": { "effect": { "type": "String", @@ -390,7 +390,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "almalinux" + "like": "almalinux*" }, { "anyOf": [ @@ -563,6 +563,7 @@ } }, "versions": [ + "3.6.0", "3.5.0", "3.4.0", "3.3.0" diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_UAI_DINE.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_UAI_DINE.json index 118d1cd1e..90f4e5b4a 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_UAI_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_UAI_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.", "metadata": { - "version": "3.7.0", + "version": "3.8.0", "category": "Monitoring" }, - "version": "3.7.0", + "version": "3.8.0", "parameters": { "effect": { "type": "String", @@ -444,7 +444,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "almalinux" + "like": "almalinux*" }, { "anyOf": [ @@ -631,6 +631,7 @@ } }, "versions": [ + "3.8.0", "3.7.0", "3.6.0", "3.5.0", diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json index 9eebd7bb8..7e90c02ec 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.", "metadata": { - "version": "6.4.0", + "version": "6.5.0", "category": "Monitoring" }, - "version": "6.4.0", + "version": "6.5.0", "parameters": { "effect": { "type": "String", @@ -451,7 +451,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "almalinux" + "like": "almalinux*" }, { "anyOf": [ @@ -691,6 +691,7 @@ } }, "versions": [ + "6.5.0", "6.4.0", "6.3.0", "6.2.0", diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Linux_DINE.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Linux_DINE.json index a4df96f75..b3b06e87b 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Linux_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Linux_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.", "metadata": { - "version": "4.3.0", + "version": "4.4.0", "category": "Monitoring" }, - "version": "4.3.0", + "version": "4.4.0", "parameters": { "effect": { "type": "String", @@ -407,7 +407,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "almalinux" + "like": "almalinux*" }, { "anyOf": [ @@ -597,6 +597,7 @@ } }, "versions": [ + "4.4.0", "4.3.0", "4.2.0", "4.1.0", diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Linux_DINE.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Linux_DINE.json index 340a2a271..1eb619a2f 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Linux_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Linux_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.", "metadata": { - "version": "4.3.0", + "version": "4.4.0", "category": "Monitoring" }, - "version": "4.3.0", + "version": "4.4.0", "parameters": { "effect": { "type": "String", @@ -407,7 +407,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "almalinux" + "like": "almalinux*" }, { "anyOf": [ @@ -597,6 +597,7 @@ } }, "versions": [ + "4.4.0", "4.3.0", "4.2.0", "4.1.0", diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_DINE.json index 88dc46da1..9ed929d7b 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Monitoring" }, - "version": "2.0.0", + "version": "2.1.0", "parameters": { "effect": { "type": "string", @@ -76,7 +76,8 @@ "variables": { "vmExtensionName": "DependencyAgentLinux", "vmExtensionPublisher": "Microsoft.Azure.Monitoring.DependencyAgent", - "vmExtensionType": "DependencyAgentLinux" + "vmExtensionType": "DependencyAgentLinux", + "vmExtensionTypeHandlerVersion": "9.10" }, "resources": [ { @@ -87,6 +88,9 @@ "properties": { "publisher": "[variables('vmExtensionPublisher')]", "type": "[variables('vmExtensionType')]", + "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, + "autoUpgradeMinorVersion": true, "settings": {} } } @@ -112,6 +116,7 @@ } }, "versions": [ + "2.1.0", "2.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json index 5353f873a..4447dfac8 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.", "metadata": { - "version": "1.1.2", + "version": "1.2.0", "category": "Monitoring" }, - "version": "1.1.2", + "version": "1.2.0", "parameters": { "effect": { "type": "string", @@ -92,7 +92,8 @@ "variables": { "vmExtensionName": "DependencyAgentLinux", "vmExtensionPublisher": "Microsoft.Azure.Monitoring.DependencyAgent", - "vmExtensionType": "DependencyAgentLinux" + "vmExtensionType": "DependencyAgentLinux", + "vmExtensionTypeHandlerVersion": "9.10" }, "resources": [ { @@ -103,6 +104,9 @@ "properties": { "publisher": "[variables('vmExtensionPublisher')]", "type": "[variables('vmExtensionType')]", + "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, + "autoUpgradeMinorVersion": true, "settings": { "enableAMA": "true" } @@ -130,6 +134,7 @@ } }, "versions": [ + "1.2.0", "1.1.2" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VMSS_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VMSS_DINE.json index c5f20b829..031373930 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VMSS_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VMSS_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", "metadata": { - "version": "5.0.0", + "version": "5.1.0", "category": "Monitoring" }, - "version": "5.0.0", + "version": "5.1.0", "parameters": { "listOfImageIdToInclude": { "type": "Array", @@ -298,6 +298,7 @@ "publisher": "[variables('vmExtensionPublisher')]", "type": "[variables('vmExtensionType')]", "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, "autoUpgradeMinorVersion": true } } @@ -323,6 +324,7 @@ } }, "versions": [ + "5.1.0", "5.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VMSS_Deploy_AMA.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VMSS_Deploy_AMA.json index 0a2942993..a04ddef83 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VMSS_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VMSS_Deploy_AMA.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", "metadata": { - "version": "3.1.1", + "version": "3.2.0", "category": "Monitoring" }, - "version": "3.1.1", + "version": "3.2.0", "parameters": { "listOfImageIdToInclude": { "type": "Array", @@ -350,6 +350,7 @@ "publisher": "[variables('vmExtensionPublisher')]", "type": "[variables('vmExtensionType')]", "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, "autoUpgradeMinorVersion": true, "settings": { "enableAMA": "true" @@ -378,6 +379,7 @@ } }, "versions": [ + "3.2.0", "3.1.1" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VM_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VM_DINE.json index efbb24478..0788b2540 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VM_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VM_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed.", "metadata": { - "version": "5.0.0", + "version": "5.1.0", "category": "Monitoring" }, - "version": "5.0.0", + "version": "5.1.0", "parameters": { "listOfImageIdToInclude": { "type": "Array", @@ -302,6 +302,7 @@ "publisher": "[variables('vmExtensionPublisher')]", "type": "[variables('vmExtensionType')]", "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, "autoUpgradeMinorVersion": true } } @@ -327,6 +328,7 @@ } }, "versions": [ + "5.1.0", "5.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VM_Deploy_AMA.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VM_Deploy_AMA.json index 6f84d35ac..6c99b5b93 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VM_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_VM_Deploy_AMA.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed.", "metadata": { - "version": "3.1.1", + "version": "3.2.0", "category": "Monitoring" }, - "version": "3.1.1", + "version": "3.2.0", "parameters": { "listOfImageIdToInclude": { "type": "Array", @@ -354,6 +354,7 @@ "publisher": "[variables('vmExtensionPublisher')]", "type": "[variables('vmExtensionType')]", "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, "autoUpgradeMinorVersion": true, "settings": { "enableAMA": "true" @@ -382,6 +383,7 @@ } }, "versions": [ + "3.2.0", "3.1.1" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_DINE.json index 16a71635e..be3c0a0ce 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Monitoring" }, - "version": "2.0.0", + "version": "2.1.0", "parameters": { "effect": { "type": "string", @@ -75,7 +75,8 @@ }, "variables": { "DaExtensionName": "DependencyAgentWindows", - "DaExtensionType": "DependencyAgentWindows" + "DaExtensionType": "DependencyAgentWindows", + "DaExtensionTypeHandlerVersion": "9.10" }, "resources": [ { @@ -86,6 +87,8 @@ "properties": { "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", "type": "[variables('DaExtensionType')]", + "typeHandlerVersion": "[variables('DaExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, "autoUpgradeMinorVersion": true, "settings": {} } @@ -112,6 +115,7 @@ } }, "versions": [ + "2.1.0", "2.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json index 5d98a20c7..154a12c2f 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.", "metadata": { - "version": "1.1.2", + "version": "1.2.0", "category": "Monitoring" }, - "version": "1.1.2", + "version": "1.2.0", "parameters": { "effect": { "type": "string", @@ -91,7 +91,8 @@ }, "variables": { "DaExtensionName": "DependencyAgentWindows", - "DaExtensionType": "DependencyAgentWindows" + "DaExtensionType": "DependencyAgentWindows", + "DaExtensionTypeHandlerVersion": "9.10" }, "resources": [ { @@ -102,6 +103,8 @@ "properties": { "publisher": "Microsoft.Azure.Monitoring.DependencyAgent", "type": "[variables('DaExtensionType')]", + "typeHandlerVersion": "[variables('DaExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, "autoUpgradeMinorVersion": true, "settings": { "enableAMA": "true" @@ -130,6 +133,7 @@ } }, "versions": [ + "1.2.0", "1.1.2" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VMSS_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VMSS_DINE.json index fe1a9378e..74a5a972a 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VMSS_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VMSS_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them.", "metadata": { - "version": "3.1.0", + "version": "3.2.0", "category": "Monitoring" }, - "version": "3.1.0", + "version": "3.2.0", "parameters": { "listOfImageIdToInclude": { "type": "Array", @@ -274,6 +274,7 @@ "publisher": "[variables('vmExtensionPublisher')]", "type": "[variables('vmExtensionType')]", "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, "autoUpgradeMinorVersion": true } } @@ -299,6 +300,7 @@ } }, "versions": [ + "3.2.0", "3.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VMSS_Deploy_AMA.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VMSS_Deploy_AMA.json index 61d9ac995..04e8a63b4 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VMSS_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VMSS_Deploy_AMA.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them.", "metadata": { - "version": "1.2.2", + "version": "1.3.0", "category": "Monitoring" }, - "version": "1.2.2", + "version": "1.3.0", "parameters": { "listOfImageIdToInclude": { "type": "Array", @@ -314,6 +314,7 @@ "publisher": "[variables('vmExtensionPublisher')]", "type": "[variables('vmExtensionType')]", "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, "autoUpgradeMinorVersion": true, "settings": { "enableAMA": "true" @@ -342,6 +343,7 @@ } }, "versions": [ + "1.3.0", "1.2.2" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VM_DINE.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VM_DINE.json index 91cded8da..fbcc3cce1 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VM_DINE.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VM_DINE.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed.", "metadata": { - "version": "3.1.0", + "version": "3.2.0", "category": "Monitoring" }, - "version": "3.1.0", + "version": "3.2.0", "parameters": { "listOfImageIdToInclude": { "type": "Array", @@ -278,6 +278,7 @@ "publisher": "[variables('vmExtensionPublisher')]", "type": "[variables('vmExtensionType')]", "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, "autoUpgradeMinorVersion": true } } @@ -303,6 +304,7 @@ } }, "versions": [ + "3.2.0", "3.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VM_Deploy_AMA.json b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VM_Deploy_AMA.json index a55009667..b917a53d7 100644 --- a/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VM_Deploy_AMA.json +++ b/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_VM_Deploy_AMA.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed.", "metadata": { - "version": "1.2.2", + "version": "1.3.0", "category": "Monitoring" }, - "version": "1.2.2", + "version": "1.3.0", "parameters": { "listOfImageIdToInclude": { "type": "Array", @@ -318,6 +318,7 @@ "publisher": "[variables('vmExtensionPublisher')]", "type": "[variables('vmExtensionType')]", "typeHandlerVersion": "[variables('vmExtensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, "autoUpgradeMinorVersion": true, "settings": { "enableAMA": "true" @@ -346,6 +347,7 @@ } }, "versions": [ + "1.3.0", "1.2.2" ] }, diff --git a/built-in-policies/policyDefinitions/Network/PrivateSubnetOnly_Audit.json b/built-in-policies/policyDefinitions/Network/PrivateSubnetOnly_Audit.json new file mode 100644 index 000000000..f4106df58 --- /dev/null +++ b/built-in-policies/policyDefinitions/Network/PrivateSubnetOnly_Audit.json @@ -0,0 +1,66 @@ +{ + "properties": { + "displayName": "Subnets should be private", + "policyType": "BuiltIn", + "mode": "All", + "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets[*].defaultOutboundAccess", + "notEquals": "false" + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/defaultOutboundAccess", + "notEquals": "false" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + }, + "versions": [ + "1.0.0" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837", + "name": "7bca8353-aa3b-429b-904a-9229c4385837" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnableCMK_AINE.json b/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnableCMK_AINE.json index 8b6e2a813..0d54e4f4f 100644 --- a/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnableCMK_AINE.json +++ b/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnableCMK_AINE.json @@ -1,14 +1,14 @@ { "properties": { - "displayName": "PostgreSQL flexble servers should use customer-managed keys to encrypt data at rest", + "displayName": "PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest", "policyType": "BuiltIn", "mode": "Indexed", "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "PostgreSQL" }, - "version": "1.0.0", + "version": "1.1.0", "parameters": { "effect": { "type": "String", @@ -32,16 +32,20 @@ "equals": "Microsoft.DBforPostgreSQL/flexibleServers" }, { - "field": "Microsoft.DBforPostgreSQL/flexibleServers/dataEncryption.type", - "equals": "AzureKeyVault" - }, - { - "field": "Microsoft.DBforPostgreSQL/flexibleServers/dataEncryption.primaryKeyURI", - "exists": "true" - }, - { - "field": "Microsoft.DBforPostgreSQL/flexibleServers/dataEncryption.primaryKeyURI", - "notEquals": "" + "anyOf": [ + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/dataEncryption.type", + "notEquals": "AzureKeyVault" + }, + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/dataEncryption.primaryKeyURI", + "exists": false + }, + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/dataEncryption.primaryKeyURI", + "equals": "" + } + ] } ] }, @@ -50,6 +54,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Security Center/MySQL_FlexibleServers_DefenderForSQL_Audit.json b/built-in-policies/policyDefinitions/Security Center/MySQL_FlexibleServers_DefenderForSQL_Audit.json new file mode 100644 index 000000000..6641a4383 --- /dev/null +++ b/built-in-policies/policyDefinitions/Security Center/MySQL_FlexibleServers_DefenderForSQL_Audit.json @@ -0,0 +1,49 @@ +{ + "properties": { + "displayName": "Azure Defender for SQL should be enabled for unprotected MySQL flexible servers", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "Audit MySQL flexible servers without Advanced Data Security", + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMySQL/flexibleservers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforMySQL/flexibleservers/advancedThreatProtectionSettings", + "name": "Default", + "existenceCondition": { + "field": "Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings/state", + "equals": "Enabled" + } + } + } + }, + "versions": [ + "1.0.0" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/3bc8a0d5-38e0-4a3d-a657-2cb64468fc34", + "name": "3bc8a0d5-38e0-4a3d-a657-2cb64468fc34" +} \ No newline at end of file diff --git a/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json b/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json index 2a0131b17..f8101181f 100644 --- a/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json +++ b/built-in-policies/policySetDefinitions/Azure Government/Security Center/AzureSecurityCenter.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.", "metadata": { - "version": "47.21.0", + "version": "47.22.0", "category": "Security Center" }, - "version": "47.21.0", + "version": "47.22.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v3.0_NS-1", @@ -5677,6 +5677,17 @@ "Azure_Security_Benchmark_v3.0_IR-5" ] }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3bc8a0d5-38e0-4a3d-a657-2cb64468fc34", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "mySqlFlexibleServersAdvancedDataSecurityMonitoring", + "groupNames": [ + "Azure_Security_Benchmark_v3.0_LT-1", + "Azure_Security_Benchmark_v3.0_LT-2", + "Azure_Security_Benchmark_v3.0_IR-3", + "Azure_Security_Benchmark_v3.0_IR-5" + ] + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/308fbb08-4ab8-4e67-9b29-592e93fb94fa", "definitionVersion": "1.*.*", @@ -7104,6 +7115,7 @@ } ], "versions": [ + "47.22.0", "47.21.0", "47.20.0", "47.19.0", diff --git a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_VMSS_AMA_new.json b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_VMSS_AMA_new.json index e92d20c0e..b0cf1cffe 100644 --- a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_VMSS_AMA_new.json +++ b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_VMSS_AMA_new.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "Enable Azure Monitor for the virtual machines scale set (VMSS) with AMA.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Monitoring" }, - "version": "1.1.0", + "version": "1.2.0", "parameters": { "enableProcessesAndDependencies": { "type": "Boolean", @@ -99,8 +99,8 @@ "scopeToSupportedImages": { "type": "Boolean", "metadata": { - "displayName": "Scope Policy to Dependency Agent-Supported Operating Systems", - "description": "If set to true, the policy will apply only to virtual machines with supported operating systems. Otherwise, the policy will apply to all virtual machine resources in the assignment scope. For supported operating systems, see https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-dependency-agent-maintenance" + "displayName": "Scope Policy to supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machine scale sets with supported operating systems. Otherwise, the policy will apply to all virtual machine scale sets resources in the assignment scope." }, "allowedValues": [ true, @@ -248,6 +248,12 @@ "definitionVersion": "6.*.*", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2ea82cdd-f2e8-4500-af75-67a2e084ca74", "parameters": { + "scopeToSupportedImages": { + "value": "[parameters('scopeToSupportedImages')]" + }, + "listOfLinuxImageIdToInclude": { + "value": "[parameters('listOfImageIdToInclude_linux')]" + }, "dcrResourceId": { "value": "[parameters('dcrResourceId')]" } @@ -258,6 +264,12 @@ "definitionVersion": "4.*.*", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eab1f514-22e3-42e3-9a1f-e1dc9199355c", "parameters": { + "scopeToSupportedImages": { + "value": "[parameters('scopeToSupportedImages')]" + }, + "listOfWindowsImageIdToInclude": { + "value": "[parameters('listOfImageIdToInclude_windows')]" + }, "dcrResourceId": { "value": "[parameters('dcrResourceId')]" } @@ -265,6 +277,7 @@ } ], "versions": [ + "1.2.0", "1.1.0", "1.0.0" ] diff --git a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_VM_AMA_new.json b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_VM_AMA_new.json index 7c76a9868..dd98087f8 100644 --- a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_VM_AMA_new.json +++ b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_VM_AMA_new.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "Enable Azure Monitor for the virtual machines (VMs) with AMA.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Monitoring" }, - "version": "1.1.0", + "version": "1.2.0", "parameters": { "enableProcessesAndDependencies": { "type": "Boolean", @@ -83,8 +83,8 @@ "scopeToSupportedImages": { "type": "Boolean", "metadata": { - "displayName": "Scope Policy to Dependency Agent-Supported Operating Systems", - "description": "If set to true, the policy will apply only to virtual machines with supported operating systems. Otherwise, the policy will apply to all virtual machine resources in the assignment scope. For supported operating systems, see https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-dependency-agent-maintenance" + "displayName": "Scope Policy to supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machines with supported operating systems. Otherwise, the policy will apply to all virtual machine resources in the assignment scope." }, "allowedValues": [ true, @@ -250,6 +250,12 @@ "parameters": { "dcrResourceId": { "value": "[parameters('dcrResourceId')]" + }, + "scopeToSupportedImages": { + "value": "[parameters('scopeToSupportedImages')]" + }, + "listOfLinuxImageIdToInclude": { + "value": "[parameters('listOfImageIdToInclude_linux')]" } } }, @@ -260,11 +266,18 @@ "parameters": { "dcrResourceId": { "value": "[parameters('dcrResourceId')]" + }, + "scopeToSupportedImages": { + "value": "[parameters('scopeToSupportedImages')]" + }, + "listOfWindowsImageIdToInclude": { + "value": "[parameters('listOfImageIdToInclude_windows')]" } } } ], "versions": [ + "1.2.0", "1.1.0", "1.0.0" ] diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/NewZealand_ISM.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/NewZealand_ISM.json new file mode 100644 index 000000000..08122a010 --- /dev/null +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/NewZealand_ISM.json @@ -0,0 +1,2894 @@ +{ + "properties": { + "displayName": "[Preview]: New Zealand ISM", + "policyType": "BuiltIn", + "description": "New Zealand Information Security Manual (ISM) policy initiative. This policy set includes definitions that have a Deny effect by default", + "metadata": { + "category": "Regulatory Compliance", + "version": "1.0.0-preview", + "preview": true + }, + "version": "1.0.0-preview", + "policyDefinitionGroups": [ + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_06.2.5.C.01", + "description": "A baseline or known point of origin is the basis of any comparison and allows measurement of changes and improvements when further information security monitoring activities are conducted.", + "name": "New_Zealand_ISM_06.2.5.C.01", + "category": "06. Information security monitoring" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_06.2.6.C.01", + "description": "Vulnerabilities may occur as a result of poorly designed or implemented information security practices", + "name": "New_Zealand_ISM_06.2.6.C.01", + "category": "06. Information security monitoring" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_06.4.5.C.01", + "description": "Availability and recovery requirements will vary based on each agency s business needs and are likely to be widely variable across government. Agencies will determine their own availability and recovery requirements and implement measures consistent with the agency's SRMP to achieve them as part of their risk management and governance processes.", + "name": "New_Zealand_ISM_06.4.5.C.01", + "category": "06. Information security monitoring" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_07.1.7.C.02", + "description": "Processes and procedures for the detection of information security incidents will assist in mitigating attacks using the most common vectors in systems exploits.", + "name": "New_Zealand_ISM_07.1.7.C.02", + "category": "07. Information Security Incidents" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_07.2.22.C.01", + "description": "In the case of outsourcing of information technology services and functions", + "name": "New_Zealand_ISM_07.2.22.C.01", + "category": "07. Information Security Incidents" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_10.8.35.C.01", + "description": "Security architectures MUST apply the principles of separation and segregation.", + "name": "New_Zealand_ISM_10.8.35.C.01", + "category": "10. Infrastructure" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_12.4.4.C.02", + "description": "The assurance provided by an evaluation is related to the date at which the results were issued. Over the course of a normal product lifecycle", + "name": "New_Zealand_ISM_12.4.4.C.02", + "category": "12. Product Security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_14.1.8.C.01", + "description": "Antivirus and anti-malware software", + "name": "New_Zealand_ISM_14.1.8.C.01", + "category": "14. Software security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_14.1.9.C.01", + "description": "Whilst a SOE can be sufficiently hardened when it is deployed", + "name": "New_Zealand_ISM_14.1.9.C.01", + "category": "14. Software security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_14.2.4.C.01", + "description": "Application access control can be an effective mechanism to prevent the successful compromise of an agency system resulting from the exploitation of a vulnerability in an application or the execution of malicious code.", + "name": "New_Zealand_ISM_14.2.4.C.01", + "category": "14. Software security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_14.5.8.C.01", + "description": "The Open Web Application Security Project guide provides a comprehensive resource to consult when developing Web applications.", + "name": "New_Zealand_ISM_14.5.8.C.01", + "category": "14. Software security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_16.1.32.C.01", + "description": "Agencies MUST ensure that all system users are uniquely identifiable; and authenticated on each occasion that access is granted to a system.", + "name": "New_Zealand_ISM_16.1.32.C.01", + "category": "16. Access Control and Passwords" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_16.3.5.C.02", + "description": "Inappropriate use of any feature or facility of a system that enables a privileged user to override system or application controls can be a major contributory factor to failures", + "name": "New_Zealand_ISM_16.3.5.C.02", + "category": "16. Access Control and Passwords" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_16.4.30.C.01", + "description": "The requirement for an agency security policy is discussed and described in Chapter 5 Information Security Documentation.  A fundamental part of any security policy is the inclusion of requirements for the treatment of Privileged Accounts.  This is most conveniently contained in a Privileged Access Management (PAM) section within the agency s security policy.  A PAM policy is a fundamental component of an agency s IT Governance.", + "name": "New_Zealand_ISM_16.4.30.C.01", + "category": "16. Access Control and Passwords" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_16.4.32.C.01", + "description": "The approval and authorisation process for the granting of privileged access should be based on the requirement to manage and protect agency systems and assets or as an operational necessity only.", + "name": "New_Zealand_ISM_16.4.32.C.01", + "category": "16. Access Control and Passwords" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.1.55.C.03", + "description": "When encryption is applied to information being communicated over networks", + "name": "New_Zealand_ISM_17.1.55.C.03", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.1.58.C.01", + "description": "All cryptographic keys have a limited useful life after which the key should be replaced or retired. Typically the useful life of the cryptographic key (cryptoperiod) is use", + "name": "New_Zealand_ISM_17.1.58.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.2.19.C.01", + "description": "While ECDH should be used in preference to DH", + "name": "New_Zealand_ISM_17.2.19.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.2.22.C.01", + "description": "A field/key size of at least 384 bits for ECDH is now considered good practice by the cryptographic community.", + "name": "New_Zealand_ISM_17.2.22.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.2.24.C.01", + "description": "A modulus of at least 3072 bits for RSA is considered good practice by the cryptographic community.", + "name": "New_Zealand_ISM_17.2.24.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.4.16.C.01", + "description": "Whilst version 1.0 of SSL was never released", + "name": "New_Zealand_ISM_17.4.16.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.5.6.C.01", + "description": "The configuration directives provided are based on the OpenSSH implementation of SSH. Agencies implementing SSH will need to adapt these settings to suit other SSH implementations.", + "name": "New_Zealand_ISM_17.5.6.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.5.7.C.01", + "description": "Public key-based systems have greater potential for strong authentication", + "name": "New_Zealand_ISM_17.5.7.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.9.35.C.01", + "description": "The cryptographic system administrator is a highly privileged position which involves granting privileged access to a cryptographic system. Therefore extra precautions need to be put in place surrounding the security and vetting of the personnel as well as the access control procedures for individuals designated as cryptographic system administrators.", + "name": "New_Zealand_ISM_17.9.35.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.9.36.C.02", + "description": "As cryptographic equipment contains particularly sensitive information additional physical security measures need to be applied to the equipment.", + "name": "New_Zealand_ISM_17.9.36.C.02", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_18.1.10.C.01", + "description": "If the network is not centrally managed", + "name": "New_Zealand_ISM_18.1.10.C.01", + "category": "18. Network security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_18.1.13.C.02", + "description": "If an attacker has limited opportunities to connect to a given network", + "name": "New_Zealand_ISM_18.1.13.C.02", + "category": "18. Network security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_18.4.7.C.02", + "description": "An IDS/IPS when configured correctly", + "name": "New_Zealand_ISM_18.4.7.C.02", + "category": "18. Network security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_18.4.8.C.01", + "description": "If the firewall is configured to block all traffic on a particular range of port numbers", + "name": "New_Zealand_ISM_18.4.8.C.01", + "category": "18. Network security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_22.1.24.C.03", + "description": "Cloud service providers may not provide adequate physical security and physical and logical access controls to meet agencies requirements.  An assessment of cloud service risks will include physical and systems security.  Refer also to Chapter 19 Gateway Security", + "name": "New_Zealand_ISM_22.1.24.C.03", + "category": "22. Enterprise systems security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_22.1.24.C.04", + "description": "Cloud service providers may not provide adequate physical security and physical and logical access controls to meet agencies requirements.  An assessment of cloud service risks will include physical and systems security.  Refer also to Chapter 19 Gateway Security", + "name": "New_Zealand_ISM_22.1.24.C.04", + "category": "22. Enterprise systems security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_23.3.19.C.01", + "description": "Credentials used to access public cloud services can be reused across cloud service providers", + "name": "New_Zealand_ISM_23.3.19.C.01", + "category": "23. Public Cloud Security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_23.4.10.C.01", + "description": "Many public cloud services are designed to make customer data directly accessible through multiple interfaces. These service endpoints may be internet-accessible by default", + "name": "New_Zealand_ISM_23.4.10.C.01", + "category": "23. Public Cloud Security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_23.4.9.C.01", + "description": "Agencies remain accountable for the confidentiality", + "name": "New_Zealand_ISM_23.4.9.C.01", + "category": "23. Public Cloud Security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_23.5.11.C.01", + "description": "It may not be possible", + "name": "New_Zealand_ISM_23.5.11.C.01", + "category": "23. Public Cloud Security" + } + ], + "parameters": { + "modeRequirement-1": { + "type": "String", + "metadata": { + "displayName": "Mode Requirement", + "description": "Mode required for all WAF policies" + }, + "allowedValues": [ + "Prevention", + "Detection" + ], + "defaultValue": "Detection" + }, + "audit_effect-1": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "deny_effect-1": { + "type": "String", + "metadata": { + "displayName": "Audit, deny or disable the execution of the policy", + "description": "Audit, deny or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "evaluatedSkuNames-2": { + "type": "Array", + "metadata": { + "displayName": "Azure Spring Cloud SKU Names", + "description": "List of Azure Spring Cloud SKUs against which this policy will be evaluated." + }, + "allowedValues": [ + "Standard", + "Enterprise" + ], + "defaultValue": [ + "Standard", + "Enterprise" + ] + }, + "allowedIPAddresses-1": { + "type": "Array", + "metadata": { + "displayName": "Allowed IP addresses", + "description": "Array with allowed public IP addresses. An empty array is evaluated as to allow all IPs." + }, + "defaultValue": [] + }, + "IncludeArcMachines-1": { + "type": "String", + "metadata": { + "displayName": "Include Arc connected servers", + "description": "By selecting this option, you agree to be charged monthly per Arc connected machine.", + "portalReview": "true" + }, + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "false" + }, + "minimumTlsVersion-2": { + "type": "String", + "metadata": { + "displayName": "Minimum TLS Version", + "description": "Minimum version of TLS required to access data in this storage account" + }, + "allowedValues": [ + "TLS1_0", + "TLS1_1", + "TLS1_2" + ], + "defaultValue": "TLS1_2" + }, + "forbiddenIPAddresses-1": { + "type": "Array", + "metadata": { + "displayName": "Forbidden IP addresses", + "description": "Array with forbidden public IP addresses. An empty array is evaluated as there are no forbidden IP addresses." + }, + "defaultValue": [] + }, + "LinuxPythonVersion-1": { + "type": "String", + "metadata": { + "displayName": "Linux Python version", + "description": "Specify a supported Python version for App Service" + }, + "defaultValue": "" + }, + "excludedNamespaces-1": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces \"kube-system\", \"gatekeeper-system\" and \"azure-arc\" are always excluded by design. \"azure-extensions-usage-system\" is optional to remove." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc", + "azure-extensions-usage-system" + ] + }, + "minimumRSAKeySize-1": { + "type": "Integer", + "metadata": { + "displayName": "Minimum RSA key size", + "description": "The minimum key size for RSA keys." + }, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "excludedImages-1": { + "type": "Array", + "metadata": { + "displayName": "Image exclusions", + "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository.", + "portalReview": true + }, + "defaultValue": [] + }, + "LinuxJavaVersion-1": { + "type": "String", + "metadata": { + "displayName": "Linux Java version", + "description": "Specify a supported Java version for App Service" + }, + "defaultValue": "" + }, + "allowedECNames-1": { + "type": "Array", + "metadata": { + "displayName": "Allowed elliptic curve names", + "description": "The list of allowed curve names for elliptic curve cryptography certificates." + }, + "allowedValues": [ + "P-256", + "P-256K", + "P-384", + "P-521" + ], + "defaultValue": [ + "P-256", + "P-256K", + "P-384", + "P-521" + ] + }, + "namespaces-1": { + "type": "Array", + "metadata": { + "displayName": "Namespace inclusions", + "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." + }, + "defaultValue": [] + }, + "LinuxPHPVersion-1": { + "type": "String", + "metadata": { + "displayName": "Linux PHP version", + "description": "Specify a supported PHP version for App Service" + }, + "defaultValue": "" + }, + "evaluatedSkuNames-1": { + "type": "Array", + "metadata": { + "displayName": "API Management SKU Names", + "description": "List of API Management SKUs against which this policy will be evaluated." + }, + "allowedValues": [ + "Developer", + "Basic", + "Standard", + "Premium", + "Consumption" + ], + "defaultValue": [ + "Developer", + "Premium" + ] + }, + "MinimumTLSVersion-1": { + "type": "String", + "metadata": { + "displayName": "Minimum TLS version", + "description": "The minimum TLS protocol version that should be enabled. Windows machines with lower TLS versions will be marked as non-compliant." + }, + "allowedValues": [ + "1.1", + "1.2" + ], + "defaultValue": "1.2" + }, + "endpointType-1": { + "type": "String", + "metadata": { + "displayName": "Public Endpoint Type", + "description": "Public Endpoint Type for which to enforce the access check" + }, + "allowedValues": [ + "Management", + "Git", + "Gateway Configuration" + ], + "defaultValue": "Management" + }, + "labelSelector-1": { + "type": "Object", + "metadata": { + "displayName": "Kubernetes label selector", + "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." + }, + "defaultValue": {}, + "schema": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.", + "type": "object", + "properties": { + "matchLabels": { + "description": "matchLabels is a map of {key,value} pairs.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "matchExpressions": { + "description": "matchExpressions is a list of values, a key, and an operator.", + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values.", + "type": "string", + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ] + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "key", + "operator" + ], + "additionalProperties": false + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + }, + "restrictIPAddresses-1": { + "type": "String", + "metadata": { + "displayName": "Would you like to restrict specific IP addresses?", + "description": "Select (Yes) to allow or forbid a list of IP addresses. If (No), the list of IP addresses won't have any effect in the policy enforcement" + }, + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "requiredRetentionDays-1": { + "type": "String", + "metadata": { + "displayName": "Required retention (days)", + "description": "The required resource logs retention in days" + }, + "defaultValue": "365" + }, + "setting-1": { + "type": "String", + "metadata": { + "displayName": "Desired Auditing setting" + }, + "allowedValues": [ + "enabled", + "disabled" + ], + "defaultValue": "enabled" + }, + "excludedContainers-1": { + "type": "Array", + "metadata": { + "displayName": "Containers exclusions", + "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." + }, + "defaultValue": [] + }, + "warn-1": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, + "excludedKinds-1": { + "type": "Array", + "metadata": { + "displayName": "Excluded Kinds", + "description": "The list of excluded API kinds for customer-managed key, default is the list of API kinds that don't have data stored in Cognitive Services" + }, + "defaultValue": [ + "CognitiveServices", + "Knowledge", + "LUIS", + "QnAMaker", + "TextAnalytics", + "ComputerVision", + "HealthDecisionSupport", + "ImmersiveReader" + ] + }, + "NotAvailableMachineState-1": { + "type": "String", + "metadata": { + "displayName": "Status if Windows Defender is not available on machine", + "description": "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' shows machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) as non-compliant. Setting this value to 'Compliant' shows these machines as compliant." + }, + "allowedValues": [ + "Compliant", + "Non-Compliant" + ], + "defaultValue": "Compliant" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "A vulnerability assessment solution should be enabled on your virtual machines", + "groupNames": [ + "New_Zealand_ISM_06.2.5.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Vulnerability assessment should be enabled on SQL Managed Instance", + "groupNames": [ + "New_Zealand_ISM_06.2.5.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Vulnerability assessment should be enabled on your SQL servers", + "groupNames": [ + "New_Zealand_ISM_06.2.5.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "SQL databases should have vulnerability findings resolved", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc", + "definitionVersion": "4.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "SQL servers on machines should have vulnerability findings resolved", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Vulnerabilities in container security configurations should be remediated", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Vulnerabilities in security configuration on your machines should be remediated", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Machines should have secret findings resolved", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3ac7c827-eea2-4bde-acc7-9568cd320efa", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/090c7b07-b4ed-4561-ad20-e9075f3ccaff", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17f4b1cc-c55c-4d94-b1f9-2978f6ac2957", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Configure Microsoft Defender for Containers to be enabled", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Audit virtual machines without disaster recovery configured", + "groupNames": [ + "New_Zealand_ISM_06.4.5.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for App Service should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for Azure SQL Database servers should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for Key Vault should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for open-source relational databases should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for Resource Manager should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for servers should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for SQL servers on machines should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Kubernetes Service clusters should have Defender profile enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft Defender for Containers should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft Defender for Storage should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft Defender for APIs should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7926a6d1-b268-4586-8197-e8ae90c877d7", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft Defender for Azure Cosmos DB should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/adbe85b5-83e6-4350-ab58-bf3a4f736e5e", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d31e5c31-63b2-4f12-887b-e49456834fa1", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38668f5-d155-42c7-ab3d-9b57b50f8fbf", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Email notification for high severity alerts should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.2.22.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Email notification to subscription owner for high severity alerts should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.2.22.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Subscriptions should have a contact email address for security issues", + "groupNames": [ + "New_Zealand_ISM_07.2.22.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management services should use a virtual network", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", + "definitionVersion": "1.*.*", + "parameters": { + "evaluatedSkuNames": { + "value": "[parameters('evaluatedSkuNames-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "App Configuration should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure API for FHIR should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1ee56206-5dd1-42ab-b02d-8aae8b1634ce", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Cache for Redis should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036d", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Event Grid domains should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Event Grid topics should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Key Vaults should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9", + "definitionVersion": "1.*.*", + "parameters": { + "audit_effect": { + "value": "[parameters('audit_effect-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Azure Machine Learning workspaces should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure SignalR Service should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Spring Cloud should use network injection", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4", + "definitionVersion": "1.*.*", + "parameters": { + "evaluatedSkuNames": { + "value": "[parameters('evaluatedSkuNames-2')]" + } + } + }, + { + "policyDefinitionReferenceId": "Container registries should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Private endpoint connections on Azure SQL Database should be enabled", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Private endpoint connections on Batch accounts should be enabled", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/009a0c92-f5b4-4776-9b66-4ed2b4775563", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Private endpoint should be enabled for MariaDB servers", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Private endpoint should be enabled for MySQL servers", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Private endpoint should be enabled for PostgreSQL servers", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Public network access should be disabled for MySQL flexible servers", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Public network access should be disabled for PostgreSQL flexible servers", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage accounts should restrict network access using virtual network rules", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage accounts should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "VM Image Builder templates should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Databricks Clusters should disable public IP", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51c1490f-3319-459c-bbbc-7f391bbed753", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Databricks Workspaces should disable public network access", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e7849de-b939-4c50-ab48-fc6b0f5eeba2", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Databricks Workspaces should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/258823f2-4595-4b52-b333-cc96192710d8", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Machine Learning Workspaces should disable public network access", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Cosmos DB should disable public network access", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Databricks Workspaces should be in a virtual network", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9c25c9e4-ee12-4882-afd2-11fb9d87893f", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure SQL Managed Instances should disable public network access", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Cognitive Services should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cddd188c-4b82-4c48-a19d-ddf74ee66a01", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management should disable public network access to the service configuration endpoints", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd", + "definitionVersion": "1.*.*", + "parameters": { + "endpointType": { + "value": "[parameters('endpointType-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "CosmosDB accounts should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58440f8a-10c5-4151-bdce-dfbaad4a20b7", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Machine Learning Computes should be in a virtual network", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "System updates on virtual machine scale sets should be installed", + "groupNames": [ + "New_Zealand_ISM_12.4.4.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "System updates should be installed on your machines", + "groupNames": [ + "New_Zealand_ISM_12.4.4.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", + "definitionVersion": "4.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Machines should be configured to periodically check for missing system updates", + "groupNames": [ + "New_Zealand_ISM_12.4.4.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Machine Learning compute instances should be recreated to get the latest software updates", + "groupNames": [ + "New_Zealand_ISM_12.4.4.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2", + "definitionVersion": "1.*.*", + "parameters": { + "effects": { + "value": "[parameters('audit_effect-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "App Service apps should have remote debugging turned off", + "groupNames": [ + "New_Zealand_ISM_14.1.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should have remote debugging turned off", + "groupNames": [ + "New_Zealand_ISM_14.1.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Management ports should be closed on your virtual machines", + "groupNames": [ + "New_Zealand_ISM_14.1.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Role-Based Access Control (RBAC) should be used on Kubernetes Services", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Endpoint protection health issues should be resolved on your machines", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Endpoint protection should be installed on your machines", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Endpoint protection solution should be installed on virtual machine scale sets", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Guest Configuration extension should be installed on your machines", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Kubernetes cluster containers should not share host process ID or host IPC namespace", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", + "definitionVersion": "5.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes cluster containers should run with a read only root file system", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80", + "definitionVersion": "6.*.*", + "parameters": { + "warn": { + "value": "[parameters('warn-1')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers-1')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes cluster should not allow privileged containers", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "definitionVersion": "9.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes clusters should be accessible only over HTTPS", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "definitionVersion": "8.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes clusters should disable automounting API credentials", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423", + "definitionVersion": "4.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes clusters should not allow container privilege escalation", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "definitionVersion": "7.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626", + "definitionVersion": "5.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes clusters should not use the default namespace", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373", + "definitionVersion": "4.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Management ports of virtual machines should be protected with just-in-time network access control", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft Antimalware for Azure should be configured to automatically update protection signatures", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft IaaSAntimalware extension should be deployed on Windows servers", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Monitor missing Endpoint Protection in Azure Security Center", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Virtual machines- Guest Configuration extension should be deployed with system-assigned managed identity", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Windows Defender Exploit Guard should be enabled on your machines", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40", + "definitionVersion": "2.*.*", + "parameters": { + "IncludeArcMachines": { + "value": "[parameters('IncludeArcMachines-1')]" + }, + "NotAvailableMachineState": { + "value": "[parameters('NotAvailableMachineState-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Adaptive application controls for defining safe applications should be enabled on your machines", + "groupNames": [ + "New_Zealand_ISM_14.2.4.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Allowlist rules in your adaptive application control policy should be updated", + "groupNames": [ + "New_Zealand_ISM_14.2.4.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should have authentication enabled", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should not have CORS configured to allow every resource to access your apps", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should only be accessible over HTTPS", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "definitionVersion": "4.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should require FTPS only", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should use latest -HTTP Version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae", + "definitionVersion": "4.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps that use Java should use a specified -Java version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed", + "definitionVersion": "3.*.*", + "parameters": { + "LinuxJavaVersion": { + "value": "[parameters('LinuxJavaVersion-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "App Service apps that use PHP should use a specified -PHP version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3", + "definitionVersion": "3.*.*", + "parameters": { + "LinuxPHPVersion": { + "value": "[parameters('LinuxPHPVersion-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "App Service apps that use Python should use a specified -Python version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73", + "definitionVersion": "4.*.*", + "parameters": { + "LinuxPythonVersion": { + "value": "[parameters('LinuxPythonVersion-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Function apps should have authentication enabled", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should not have CORS configured to allow every resource to access your apps", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should only be accessible over HTTPS", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", + "definitionVersion": "5.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should require FTPS only", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should use latest -HTTP Version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c", + "definitionVersion": "4.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps that use Java should use a specified -Java version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc", + "definitionVersion": "3.*.*", + "parameters": { + "LinuxJavaVersion": { + "value": "[parameters('LinuxJavaVersion-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Function apps that use Python should use a specified -Python version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73", + "definitionVersion": "4.*.*", + "parameters": { + "LinuxPythonVersion": { + "value": "[parameters('LinuxPythonVersion-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "App Service apps should have Client Certificates (Incoming client certificates) enabled", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19dd1db6-f442-49cf-a838-b0786b4401ef", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service app slots should have Client Certificates (Incoming client certificates) enabled", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b0bd968-5cb5-4513-8987-27786c6f0df8", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should have Client Certificates (Incoming client certificates) enabled", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ab6a902f-9493-453b-928d-62c30b11b5a6", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should use managed identity", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure SQL Database should have Microsoft Entra-only authentication enabled during creation", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Cosmos DB database accounts should have local authentication methods disabled", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should use managed identity", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Service Fabric clusters should only use Azure Active Directory for client authentication", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management calls to API backends should be authenticated", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage accounts should prevent shared key access", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c28c3fb-c244-42d5-a9bf-f35f2999577b", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "A Microsoft Entra administrator should be provisioned for MySQL servers", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/146412e9-005c-472b-9e48-c87b72ac229e", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40e85574-ef33-47e8-a854-7a65c7500560", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Synapse Workspaces should have Microsoft Entra-only authentication enabled", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ea81a52-5ca7-4575-9669-eaa910b7edf8", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure AI Services resources should have key access disabled (disable local authentication)", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure SQL Database should have Microsoft Entra-only authentication enabled", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b3a22bc9-66de-45fb-98fa-00f5df42f41a", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "A Microsoft Entra administrator should be provisioned for PostgreSQL servers", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4dec045-250a-48c2-b5cc-e0c4eec8b5b4", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Machine Learning Computes should have local authentication methods disabled", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API endpoints in Azure API Management should be authenticated", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ac833bd-f505-48d5-887e-c993a1d3eea0", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "A maximum of 3 owners should be designated for your subscription", + "groupNames": [ + "New_Zealand_ISM_16.3.5.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Blocked accounts with owner permissions on Azure resources should be removed", + "groupNames": [ + "New_Zealand_ISM_16.4.30.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Blocked accounts with read and write permissions on Azure resources should be removed", + "groupNames": [ + "New_Zealand_ISM_16.4.30.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Guest accounts with owner permissions on Azure resources should be removed", + "groupNames": [ + "New_Zealand_ISM_16.4.30.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Guest accounts with read permissions on Azure resources should be removed", + "groupNames": [ + "New_Zealand_ISM_16.4.30.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Guest accounts with write permissions on Azure resources should be removed", + "groupNames": [ + "New_Zealand_ISM_16.4.30.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "There should be more than one owner assigned to your subscription", + "groupNames": [ + "New_Zealand_ISM_16.4.30.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "An Azure Active Directory administrator should be provisioned for SQL servers", + "groupNames": [ + "New_Zealand_ISM_16.4.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management APIs should use only encrypted protocols", + "groupNames": [ + "New_Zealand_ISM_17.1.55.C.03" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Key Vault keys should have an expiration date", + "groupNames": [ + "New_Zealand_ISM_17.1.58.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Key Vault secrets should have an expiration date", + "groupNames": [ + "New_Zealand_ISM_17.1.58.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage account keys should not be expired", + "groupNames": [ + "New_Zealand_ISM_17.1.58.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Keys using RSA cryptography should have a specified minimum key size", + "groupNames": [ + "New_Zealand_ISM_17.2.19.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9", + "definitionVersion": "1.*.*", + "parameters": { + "minimumRSAKeySize": { + "value": "[parameters('minimumRSAKeySize-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Keys using elliptic curve cryptography should have the specified curve names", + "groupNames": [ + "New_Zealand_ISM_17.2.22.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255", + "definitionVersion": "1.*.*", + "parameters": { + "allowedECNames": { + "value": "[parameters('allowedECNames-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Certificates using RSA cryptography should have the specified minimum key size", + "groupNames": [ + "New_Zealand_ISM_17.2.24.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0", + "definitionVersion": "2.*.*", + "parameters": { + "minimumRSAKeySize": { + "value": "[parameters('minimumRSAKeySize-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "App Service apps should use the latest TLS version", + "groupNames": [ + "New_Zealand_ISM_17.4.16.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should use the latest TLS version", + "groupNames": [ + "New_Zealand_ISM_17.4.16.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Windows machines should be configured to use secure communication protocols", + "groupNames": [ + "New_Zealand_ISM_17.4.16.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112", + "definitionVersion": "4.*.*", + "parameters": { + "IncludeArcMachines": { + "value": "[parameters('IncludeArcMachines-1')]" + }, + "MinimumTLSVersion": { + "value": "[parameters('MinimumTLSVersion-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Azure SQL Database should be running TLS version 1.2 or newer", + "groupNames": [ + "New_Zealand_ISM_17.4.16.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage accounts should have the specified minimum TLS version", + "groupNames": [ + "New_Zealand_ISM_17.4.16.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", + "definitionVersion": "1.*.*", + "parameters": { + "minimumTlsVersion": { + "value": "[parameters('minimumTlsVersion-2')]" + } + } + }, + { + "policyDefinitionReferenceId": "IP Forwarding on your virtual machine should be disabled", + "groupNames": [ + "New_Zealand_ISM_17.5.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Authentication to Linux machines should require SSH keys", + "groupNames": [ + "New_Zealand_ISM_17.5.7.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6", + "definitionVersion": "3.*.*", + "parameters": { + "IncludeArcMachines": { + "value": "[parameters('IncludeArcMachines-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Azure Key Vault should use RBAC permission model", + "groupNames": [ + "New_Zealand_ISM_17.9.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management secret named values should be stored in Azure Key Vault", + "groupNames": [ + "New_Zealand_ISM_17.9.36.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Adaptive network hardening recommendations should be applied on internet facing virtual machines", + "groupNames": [ + "New_Zealand_ISM_18.1.10.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "All network ports should be restricted on network security groups associated to your virtual machine", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Authorized IP ranges should be defined on Kubernetes Services", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure AI Services resources should restrict network access", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Cosmos DB accounts should have firewall rules", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('deny_effect-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Azure Key Vault should have firewall enabled", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "definitionVersion": "3.*.*", + "parameters": { + "allowedIPAddresses": { + "value": "[parameters('allowedIPAddresses-1')]" + }, + "forbiddenIPAddresses": { + "value": "[parameters('forbiddenIPAddresses-1')]" + }, + "restrictIPAddresses": { + "value": "[parameters('restrictIPAddresses-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Container registries should not allow unrestricted network access", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "CORS should not allow every domain to access your API for FHIR", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fea8f8a-4169-495d-8307-30ec335f387d", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Enforce SSL connection should be enabled for MySQL database servers", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Enforce SSL connection should be enabled for PostgreSQL database servers", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Internet-facing virtual machines should be protected with network security groups", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Non-internet-facing virtual machines should be protected with network security groups", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Only secure connections to your Azure Cache for Redis should be enabled", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Public network access on Azure SQL Database should be disabled", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Public network access should be disabled for MariaDB servers", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Public network access should be disabled for MySQL servers", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Public network access should be disabled for PostgreSQL servers", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Secure transfer to storage accounts should be enabled", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage accounts should restrict network access", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Subnets should be associated with a Network Security Group", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure DDoS Protection should be enabled", + "groupNames": [ + "New_Zealand_ISM_18.4.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Connection throttling should be enabled for PostgreSQL database servers", + "groupNames": [ + "New_Zealand_ISM_18.4.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace", + "groupNames": [ + "New_Zealand_ISM_18.4.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Web Application Firewall should be enabled for Azure Front Door entry-points", + "groupNames": [ + "New_Zealand_ISM_18.4.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Web Application Firewall (WAF) should be enabled for Application Gateway", + "groupNames": [ + "New_Zealand_ISM_18.4.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Web Application Firewall (WAF) should use the specified mode for Application Gateway", + "groupNames": [ + "New_Zealand_ISM_18.4.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", + "definitionVersion": "1.*.*", + "parameters": { + "modeRequirement": { + "value": "[parameters('modeRequirement-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service", + "groupNames": [ + "New_Zealand_ISM_18.4.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", + "definitionVersion": "1.*.*", + "parameters": { + "modeRequirement": { + "value": "[parameters('modeRequirement-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "API endpoints that are unused should be disabled and removed from the Azure API Management service", + "groupNames": [ + "New_Zealand_ISM_22.1.24.C.03" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c8acafaf-3d23-44d1-9624-978ef0f8652c", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Virtual machines and virtual machine scale sets should have encryption at host enabled", + "groupNames": [ + "New_Zealand_ISM_22.1.24.C.04" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Accounts with owner permissions on Azure resources should be MFA enabled", + "groupNames": [ + "New_Zealand_ISM_23.3.19.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Accounts with read permissions on Azure resources should be MFA enabled", + "groupNames": [ + "New_Zealand_ISM_23.3.19.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Accounts with write permissions on Azure resources should be MFA enabled", + "groupNames": [ + "New_Zealand_ISM_23.3.19.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management minimum API version should be set to 2019-12-01 or higher", + "groupNames": [ + "New_Zealand_ISM_23.4.10.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management subscriptions should not be scoped to all APIs", + "groupNames": [ + "New_Zealand_ISM_23.4.10.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management direct management endpoint should not be enabled", + "groupNames": [ + "New_Zealand_ISM_23.4.10.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management calls to API backends should not bypass certificate thumbprint or name validation", + "groupNames": [ + "New_Zealand_ISM_23.4.10.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Automation account variables should be encrypted", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Key Vault Managed HSM should have purge protection enabled", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Machine Learning workspaces should be encrypted with a customer-managed key", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Cognitive Services accounts should enable data encryption with a customer-managed key", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "definitionVersion": "2.*.*", + "parameters": { + "excludedKinds": { + "value": "[parameters('excludedKinds-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Container registries should be encrypted with a customer-managed key", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Disk encryption should be enabled on Azure Data Explorer", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Key vaults should have deletion protection enabled", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Key vaults should have soft delete enabled", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "MySQL servers should use customer-managed keys to encrypt data at rest", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "PostgreSQL servers should use customer-managed keys to encrypt data at rest", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Require encryption on Data Lake Store accounts", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "SQL managed instances should use customer-managed keys to encrypt data at rest", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "SQL servers should use customer-managed keys to encrypt data at rest", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage accounts should use customer-managed key for encryption", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Transparent Data Encryption on SQL databases should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should have resource logs enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510", + "definitionVersion": "2.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Audit usage of custom RBAC roles", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Auditing on SQL server should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", + "definitionVersion": "2.*.*", + "parameters": { + "setting": { + "value": "[parameters('setting-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Auto provisioning of the Log Analytics agent should be enabled on your subscription", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Disconnections should be logged for PostgreSQL database servers.", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Log connections should be enabled for PostgreSQL database servers", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Resource logs in Azure Data Lake Store should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Azure Kubernetes Service should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c", + "definitionVersion": "1.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Azure Stream Analytics should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Batch accounts should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Data Lake Analytics should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Event Hub should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in IoT Hub should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4", + "definitionVersion": "3.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Key Vault should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Logic Apps should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Search services should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Service Bus should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "SQL servers with auditing to storage account destination should be configured with 90 days retention or higher", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6283572-73bb-4deb-bf2c-7a2b8f7462cb", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Resource logs in Azure Machine Learning Workspaces should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6", + "definitionVersion": "1.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + } + ], + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policySetDefinitions/4f5b1359-4f8e-4d7c-9733-ea47fcde891e", + "name": "4f5b1359-4f8e-4d7c-9733-ea47fcde891e" +} \ No newline at end of file diff --git a/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json b/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json index 27ee38399..fb4faa955 100644 --- a/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json +++ b/built-in-policies/policySetDefinitions/Security Center/AzureSecurityCenter.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.", "metadata": { - "version": "57.40.0", + "version": "57.41.0", "category": "Security Center" }, - "version": "57.40.0", + "version": "57.41.0", "policyDefinitionGroups": [ { "name": "Azure_Security_Benchmark_v3.0_NS-1", @@ -6479,6 +6479,17 @@ "Azure_Security_Benchmark_v3.0_IR-5" ] }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3bc8a0d5-38e0-4a3d-a657-2cb64468fc34", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "mySqlFlexibleServersAdvancedDataSecurityMonitoring", + "groupNames": [ + "Azure_Security_Benchmark_v3.0_LT-1", + "Azure_Security_Benchmark_v3.0_LT-2", + "Azure_Security_Benchmark_v3.0_IR-3", + "Azure_Security_Benchmark_v3.0_IR-5" + ] + }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/938c4981-c2c9-4168-9cd6-972b8675f906", "definitionVersion": "1.*.*", @@ -8731,6 +8742,7 @@ } ], "versions": [ + "57.41.0", "57.40.0", "57.39.0", "57.38.0",