diff --git a/built-in-policies/policyDefinitions/Guest Configuration/ACAT_ InternetTimeDefaultNtpServer_AINE.json b/built-in-policies/policyDefinitions/Guest Configuration/ACAT_ InternetTimeDefaultNtpServer_AINE.json index c32c7f187..15940a099 100644 --- a/built-in-policies/policyDefinitions/Guest Configuration/ACAT_ InternetTimeDefaultNtpServer_AINE.json +++ b/built-in-policies/policyDefinitions/Guest Configuration/ACAT_ InternetTimeDefaultNtpServer_AINE.json @@ -1,12 +1,13 @@ { "properties": { - "displayName": "Windows machines should use the default NTP server", + "displayName": "[Deprecated]: Windows machines should use the default NTP server", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Setup the 'time.windows.com' as the default NTP Server for all Windows machines to ensure logs across all systems have system clocks that are all in sync. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.", + "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer checks the default NTP server on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.", "metadata": { "category": "Guest Configuration", - "version": "1.0.0", + "version": "1.1.0-deprecated", + "deprecated": true, "requiredProviders": [ "Microsoft.GuestConfiguration" ], @@ -15,7 +16,7 @@ "version": "1.*" } }, - "version": "1.0.0", + "version": "1.1.0", "parameters": { "IncludeArcMachines": { "type": "string", @@ -39,7 +40,7 @@ "AuditIfNotExists", "Disabled" ], - "defaultValue": "AuditIfNotExists" + "defaultValue": "Disabled" } }, "policyRule": { @@ -239,6 +240,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Guest Configuration/ACAT_ UpdateDefenderSignatureDaily_AINE.json b/built-in-policies/policyDefinitions/Guest Configuration/ACAT_ UpdateDefenderSignatureDaily_AINE.json index 28e64377f..2cffc3837 100644 --- a/built-in-policies/policyDefinitions/Guest Configuration/ACAT_ UpdateDefenderSignatureDaily_AINE.json +++ b/built-in-policies/policyDefinitions/Guest Configuration/ACAT_ UpdateDefenderSignatureDaily_AINE.json @@ -3,10 +3,10 @@ "displayName": "Windows machines should configure Windows Defender to update protection signatures within one day", "policyType": "BuiltIn", "mode": "Indexed", - "description": "To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.", + "description": "To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy is not applied to Arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.", "metadata": { "category": "Guest Configuration", - "version": "1.0.0", + "version": "1.0.1", "requiredProviders": [ "Microsoft.GuestConfiguration" ], @@ -15,7 +15,7 @@ "version": "1.*" } }, - "version": "1.0.0", + "version": "1.0.1", "parameters": { "IncludeArcMachines": { "type": "string", @@ -239,6 +239,7 @@ } }, "versions": [ + "1.0.1", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Guest Configuration/ACAT_WindowsDefenderRealtimeProtection_AINE.json b/built-in-policies/policyDefinitions/Guest Configuration/ACAT_WindowsDefenderRealtimeProtection_AINE.json index 92d0d69de..0c87ba59f 100644 --- a/built-in-policies/policyDefinitions/Guest Configuration/ACAT_WindowsDefenderRealtimeProtection_AINE.json +++ b/built-in-policies/policyDefinitions/Guest Configuration/ACAT_WindowsDefenderRealtimeProtection_AINE.json @@ -3,10 +3,10 @@ "displayName": "Windows machines should enable Windows Defender Real-time protection", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.", + "description": "Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy is not applicable to arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.", "metadata": { "category": "Guest Configuration", - "version": "1.0.0", + "version": "1.0.1", "requiredProviders": [ "Microsoft.GuestConfiguration" ], @@ -15,7 +15,7 @@ "version": "1.*" } }, - "version": "1.0.0", + "version": "1.0.1", "parameters": { "IncludeArcMachines": { "type": "string", @@ -263,6 +263,7 @@ } }, "versions": [ + "1.0.1", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Guest Configuration/ACAT_WindowsDefenderScanScheduleDaily_AINE.json b/built-in-policies/policyDefinitions/Guest Configuration/ACAT_WindowsDefenderScanScheduleDaily_AINE.json index a2a64d4e5..e9e7d9803 100644 --- a/built-in-policies/policyDefinitions/Guest Configuration/ACAT_WindowsDefenderScanScheduleDaily_AINE.json +++ b/built-in-policies/policyDefinitions/Guest Configuration/ACAT_WindowsDefenderScanScheduleDaily_AINE.json @@ -1,12 +1,13 @@ { "properties": { - "displayName": "Windows machines should schedule Windows Defender to perform a scheduled scan every day", + "displayName": "[Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day", "policyType": "BuiltIn", "mode": "Indexed", - "description": "To ensure prompt detection of malware and minimize its impact on your system, it is recommended that Windows machines with Windows Defender schedule a daily scan. Please make sure Windows Defender is supported, preinstalled on the device, and Guest Configuration prerequisites are deployed. Failure to meet these requirements may lead to inaccurate evaluation results. Learn more about Guest Configuration at https://aka.ms/gcpol.", + "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer checks schedule frequency on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.", "metadata": { "category": "Guest Configuration", - "version": "1.2.0", + "version": "1.3.0-deprecated", + "deprecated": true, "requiredProviders": [ "Microsoft.GuestConfiguration" ], @@ -15,7 +16,7 @@ "version": "1.11.*" } }, - "version": "1.2.0", + "version": "1.3.0", "parameters": { "IncludeArcMachines": { "type": "string", @@ -39,7 +40,7 @@ "AuditIfNotExists", "Disabled" ], - "defaultValue": "AuditIfNotExists" + "defaultValue": "Disabled" } }, "policyRule": { @@ -261,6 +262,7 @@ } }, "versions": [ + "1.3.0", "1.2.0" ] }, diff --git a/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EmptyIDPSBypassList_Audit.json b/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EmptyIDPSBypassList_Audit.json index 5f4998273..0af366538 100644 --- a/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EmptyIDPSBypassList_Audit.json +++ b/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EmptyIDPSBypassList_Audit.json @@ -1,14 +1,15 @@ { "properties": { - "displayName": "Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium", + "displayName": "[Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium", "policyType": "BuiltIn", - "description": "Intrusion Detection and Prevention System (IDPS) Bypass List allows you to not filter traffic to any of the IP addresses, ranges, and subnets specified in the bypass list. However, enabling IDPS is recommanded for all traffic flows to better identify known threats. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature", + "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.", "mode": "Indexed", "metadata": { - "version": "1.0.0", - "category": "Network" + "version": "1.1.0-deprecated", + "category": "Network", + "deprecated": true }, - "version": "1.0.0", + "version": "1.1.0", "parameters": { "effect": { "type": "String", @@ -21,7 +22,7 @@ "Deny", "Disabled" ], - "defaultValue": "Audit" + "defaultValue": "Disabled" } }, "policyRule": { @@ -52,6 +53,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableAllIDPSSignatureRules_Audit.json b/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableAllIDPSSignatureRules_Audit.json index 174be3bcd..dbc5da914 100644 --- a/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableAllIDPSSignatureRules_Audit.json +++ b/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableAllIDPSSignatureRules_Audit.json @@ -1,14 +1,15 @@ { "properties": { - "displayName": "Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows", + "displayName": "[Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows", "policyType": "BuiltIn", - "description": "Enabling all Intrusion Detection and Prevention System (IDPS) signature rules is recommanded to better identify known threats in the traffic flows. To learn more about the Intrusion Detection and Prevention System (IDPS) signatures with Azure Firewall Premium, visit https://aka.ms/fw-idps-signature", + "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.", "mode": "Indexed", "metadata": { - "version": "1.0.0", - "category": "Network" + "version": "1.1.0-deprecated", + "category": "Network", + "deprecated": true }, - "version": "1.0.0", + "version": "1.1.0", "parameters": { "effect": { "type": "String", @@ -21,7 +22,7 @@ "Deny", "Disabled" ], - "defaultValue": "Audit" + "defaultValue": "Disabled" } }, "policyRule": { @@ -52,6 +53,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableIDPS_Audit.json b/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableIDPS_Audit.json index 525aa90bc..a88ae9e1e 100644 --- a/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableIDPS_Audit.json +++ b/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableIDPS_Audit.json @@ -1,14 +1,15 @@ { "properties": { - "displayName": "Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS)", + "displayName": "[Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS)", "policyType": "BuiltIn", - "description": "Enabling the Intrusion Detection and Prevention System (IDPS) allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it. To learn more about the Intrusion Detection and Prevention System (IDPS) with Azure Firewall Premium, visit https://aka.ms/fw-idps", + "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.", "mode": "Indexed", "metadata": { - "version": "1.0.0", - "category": "Network" + "version": "1.1.0-deprecated", + "category": "Network", + "deprecated": true }, - "version": "1.0.0", + "version": "1.1.0", "parameters": { "effect": { "type": "String", @@ -21,7 +22,7 @@ "Deny", "Disabled" ], - "defaultValue": "Audit" + "defaultValue": "Disabled" } }, "policyRule": { @@ -46,6 +47,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableTlsInspection_Audit.json b/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableTlsInspection_Audit.json index b0d4256d1..4ebde601b 100644 --- a/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableTlsInspection_Audit.json +++ b/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnableTlsInspection_Audit.json @@ -1,14 +1,15 @@ { "properties": { - "displayName": "Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection", + "displayName": "[Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection", "policyType": "BuiltIn", - "description": "Configure a valid intermediate certificate and enable Azure Firewall Premium TLS inspection to detect, alert, and mitigate malicious activity in HTTPS. To learn more about TLS inspection with Azure Firewall, visit https://aka.ms/fw-tlsinspect", + "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.", "mode": "Indexed", "metadata": { - "version": "1.0.0", - "category": "Network" + "version": "1.1.0-deprecated", + "category": "Network", + "deprecated": true }, - "version": "1.0.0", + "version": "1.1.0", "parameters": { "effect": { "type": "String", @@ -21,7 +22,7 @@ "Deny", "Disabled" ], - "defaultValue": "Audit" + "defaultValue": "Disabled" } }, "policyRule": { @@ -46,6 +47,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnbaleTlsForAllAppRules_Audit.json b/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnbaleTlsForAllAppRules_Audit.json index 691e50a74..11dc6d2dd 100644 --- a/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnbaleTlsForAllAppRules_Audit.json +++ b/built-in-policies/policyDefinitions/Network/ACAT_FirewallPolicy_EnbaleTlsForAllAppRules_Audit.json @@ -1,14 +1,15 @@ { "properties": { - "displayName": "Azure firewall policy should enable TLS inspection within application rules", + "displayName": "[Deprecated]: Azure firewall policy should enable TLS inspection within application rules", "policyType": "BuiltIn", - "description": "Enabling TLS inspection is recommended for all application rules to detect, alert, and mitigate malicious activity in HTTPS. To learn more about TLS inspection with Azure Firewall, visit https://aka.ms/fw-tlsinspect", + "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.", "mode": "All", "metadata": { - "version": "1.0.0", - "category": "Network" + "version": "1.1.0-deprecated", + "category": "Network", + "deprecated": true }, - "version": "1.0.0", + "version": "1.1.0", "parameters": { "effect": { "type": "String", @@ -21,7 +22,7 @@ "Deny", "Disabled" ], - "defaultValue": "Audit" + "defaultValue": "Disabled" } }, "policyRule": { @@ -54,6 +55,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Network/ACAT_Firewall_FirewallPremiumShouldExist_Audit.json b/built-in-policies/policyDefinitions/Network/ACAT_Firewall_FirewallPremiumShouldExist_Audit.json index a669e5a84..7c1f36512 100644 --- a/built-in-policies/policyDefinitions/Network/ACAT_Firewall_FirewallPremiumShouldExist_Audit.json +++ b/built-in-policies/policyDefinitions/Network/ACAT_Firewall_FirewallPremiumShouldExist_Audit.json @@ -1,18 +1,19 @@ { "properties": { - "displayName": "Subscription should configure the Azure Firewall Premium to provide additional layer of protection", + "displayName": "[Deprecated]: Subscription should configure the Azure Firewall Premium to provide additional layer of protection", "policyType": "BuiltIn", - "description": "Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments. Deploy Azure Firewall Premium to your subscription and make sure all the service traffic are protected by Azure Firewall Premium. To learn more about Azure Firewall Premium, visit https://aka.ms/fw-premium", + "description": "This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.", "mode": "All", "metadata": { - "version": "1.0.0", - "category": "Network" + "version": "1.1.0-deprecated", + "category": "Network", + "deprecated": true }, - "version": "1.0.0", + "version": "1.1.0", "parameters": { "effect": { "type": "String", - "defaultValue": "AuditIfNotExists", + "defaultValue": "Disabled", "allowedValues": [ "AuditIfNotExists", "Disabled" @@ -48,6 +49,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Network/ACAT_WAF_AppGatewayAllRulesEnabled_Audit.json b/built-in-policies/policyDefinitions/Network/ACAT_WAF_AppGatewayAllRulesEnabled_Audit.json index fc2e18a81..23cd147ea 100644 --- a/built-in-policies/policyDefinitions/Network/ACAT_WAF_AppGatewayAllRulesEnabled_Audit.json +++ b/built-in-policies/policyDefinitions/Network/ACAT_WAF_AppGatewayAllRulesEnabled_Audit.json @@ -1,14 +1,15 @@ { "properties": { - "displayName": "Web Application Firewall (WAF) should enable all firewall rules for Application Gateway", + "displayName": "[Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway", "policyType": "BuiltIn", - "description": "Enabling all Web Application Firewall (WAF) rules strengthens your application security and protects your web applications against common vulnerabilities. To learn more about Web Application Firewall (WAF) with Application Gateway, visit https://aka.ms/waf-ag", + "description": "This policy is deprecated because sometimes it is impractical to enable all WAF rules. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.", "mode": "Indexed", "metadata": { - "version": "1.0.1", - "category": "Network" + "version": "1.1.0-deprecated", + "category": "Network", + "deprecated": true }, - "version": "1.0.1", + "version": "1.1.0", "parameters": { "effect": { "type": "String", @@ -21,7 +22,7 @@ "Deny", "Disabled" ], - "defaultValue": "Audit" + "defaultValue": "Disabled" } }, "policyRule": { @@ -44,6 +45,7 @@ } }, "versions": [ + "1.1.0", "1.0.1" ] }, diff --git a/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_DiagnosticSettings_LogAnalytics_DINE.json b/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_DiagnosticSettings_LogAnalytics_DINE.json new file mode 100644 index 000000000..afc2a0cad --- /dev/null +++ b/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_DiagnosticSettings_LogAnalytics_DINE.json @@ -0,0 +1,187 @@ +{ + "properties": { + "displayName": "Deploy Diagnostic Settings for PostgreSQL flexible servers to Log Analytics workspace", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "Deploys the diagnostic settings for PostgreSQL flexible servers to stream to a regional Log Analytics workspace when any PostgreSQL flexible servers which is missing this diagnostic settings is created or updated.", + "metadata": { + "version": "1.0.0", + "category": "PostgreSQL" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_logAnalytics" + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace", + "assignPermissions": true + } + }, + "metricsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + }, + "defaultValue": false + }, + "logsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "defaultValue": true + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "metricsEnabled": { + "type": "bool" + }, + "logsEnabled": { + "type": "bool" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/flexibleServers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } + }, + "versions": [ + "1.0.0" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/78ed47da-513e-41e9-a088-e829b373281d", + "name": "78ed47da-513e-41e9-a088-e829b373281d" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnableCMK_AINE.json b/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnableCMK_AINE.json new file mode 100644 index 000000000..8b6e2a813 --- /dev/null +++ b/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnableCMK_AINE.json @@ -0,0 +1,58 @@ +{ + "properties": { + "displayName": "PostgreSQL flexble servers should use customer-managed keys to encrypt data at rest", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", + "metadata": { + "version": "1.0.0", + "category": "PostgreSQL" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/dataEncryption.type", + "equals": "AzureKeyVault" + }, + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/dataEncryption.primaryKeyURI", + "exists": "true" + }, + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/dataEncryption.primaryKeyURI", + "notEquals": "" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + }, + "versions": [ + "1.0.0" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/12c74c95-0efd-48da-b8d9-2a7d68470c92", + "name": "12c74c95-0efd-48da-b8d9-2a7d68470c92" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnablePgAudit_AINE.json b/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnablePgAudit_AINE.json new file mode 100644 index 000000000..8694e9732 --- /dev/null +++ b/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_EnablePgAudit_AINE.json @@ -0,0 +1,49 @@ +{ + "properties": { + "displayName": "Auditing with PgAudit should be enabled for PostgreSQL flexible servers", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "This policy helps audit any PostgreSQL flexible servers in your environment which is not enabled to use pgaudit.", + "metadata": { + "version": "1.0.0", + "category": "PostgreSQL" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/flexibleServers/configurations", + "name": "pgaudit.log", + "existenceCondition": { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/configurations/value", + "notEquals": "none" + } + } + } + }, + "versions": [ + "1.0.0" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/4eb5e667-e871-4292-9c5d-8bbb94e0c908", + "name": "4eb5e667-e871-4292-9c5d-8bbb94e0c908" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_MinTLS_AINE.json b/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_MinTLS_AINE.json new file mode 100644 index 000000000..677884830 --- /dev/null +++ b/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_MinTLS_AINE.json @@ -0,0 +1,49 @@ +{ + "properties": { + "displayName": "PostgreSQL flexible servers should be running TLS version 1.2 or newer", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "This policy helps audit any PostgreSQL flexible servers in your environment which is running with TLS version less than 1.2.", + "metadata": { + "version": "1.0.0", + "category": "PostgreSQL" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/flexibleServers/configurations", + "name": "ssl_min_protocol_version", + "existenceCondition": { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/configurations/value", + "equals": "TLSv1.2" + } + } + } + }, + "versions": [ + "1.0.0" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/a43d5475-c569-45ce-a268-28fa79f4e87a", + "name": "a43d5475-c569-45ce-a268-28fa79f4e87a" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_ProvisionEntraAdmin_AINE.json b/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_ProvisionEntraAdmin_AINE.json new file mode 100644 index 000000000..914897452 --- /dev/null +++ b/built-in-policies/policyDefinitions/PostgreSQL/FlexibleServers_ProvisionEntraAdmin_AINE.json @@ -0,0 +1,44 @@ +{ + "properties": { + "displayName": "A Microsoft Entra administrator should be provisioned for PostgreSQL flexible servers", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "Audit provisioning of a Microsoft Entra administrator for your PostgreSQL flexible server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services", + "metadata": { + "version": "1.0.0", + "category": "PostgreSQL" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/flexibleServers/administrators" + } + } + }, + "versions": [ + "1.0.0" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/ce39a96d-bf09-4b60-8c32-e85d52abea0f", + "name": "ce39a96d-bf09-4b60-8c32-e85d52abea0f" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/SQL/PostgreSQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json b/built-in-policies/policyDefinitions/SQL/PostgreSQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json index 336c6e134..57417c6f6 100644 --- a/built-in-policies/policyDefinitions/SQL/PostgreSQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json +++ b/built-in-policies/policyDefinitions/SQL/PostgreSQL_FlexibleServers_DisablePublicNetworkAccess_Audit.json @@ -3,12 +3,12 @@ "displayName": "Public network access should be disabled for PostgreSQL flexible servers", "policyType": "BuiltIn", "mode": "Indexed", - "description": "Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules.", + "description": "Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules.", "metadata": { - "version": "3.0.1", + "version": "3.1.0", "category": "SQL" }, - "version": "3.0.1", + "version": "3.1.0", "parameters": { "effect": { "type": "string", @@ -32,16 +32,40 @@ "equals": "Microsoft.DBforPostgreSQL/flexibleServers" }, { - "field": "Microsoft.DBforPostgreSQL/flexibleServers/createMode", - "notEquals": "Update" + "anyOf": [ + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/network.delegatedSubnetResourceId", + "exists": "true" + }, + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/network.privateDnsZoneArmResourceId", + "exists": "true" + }, + { + "allOf": [ + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/network.publicNetworkAccess", + "exists": "true" + }, + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/network.publicNetworkAccess", + "notEquals": "Disabled" + } + ] + } + ] }, { - "field": "Microsoft.DBforPostgreSQL/flexibleServers/network.delegatedSubnetResourceId", - "exists": "false" - }, - { - "field": "Microsoft.DBforPostgreSQL/flexibleServers/network.privateDnsZoneArmResourceId", - "exists": "false" + "anyOf": [ + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/network.delegatedSubnetResourceId", + "exists": "false" + }, + { + "field": "Microsoft.DBforPostgreSQL/flexibleServers/network.privateDnsZoneArmResourceId", + "exists": "false" + } + ] } ] }, @@ -50,6 +74,7 @@ } }, "versions": [ + "3.1.0", "3.0.1" ] }, diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/ACAT_M365_Cert.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/ACAT_M365_Cert.json index e49fc64f9..824649272 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/ACAT_M365_Cert.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/ACAT_M365_Cert.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "App Compliance Automation Tool for Microsoft 365 (ACAT) simplifies the process to achieve Microsoft 365 Certification, see https://aka.ms/acat. This certification ensures that apps have strong security and compliance practices in place to protect customer data, security, and privacy. This initiative includes policies that address a subset of the Microsoft 365 Certification controls. Additional policies will be added in upcoming releases.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Regulatory Compliance" }, - "version": "1.0.0", + "version": "1.1.0", "policyDefinitionGroups": [ { "name": "ACAT_Security_Policies", @@ -83,15 +83,6 @@ "ACAT_Security_Policies" ] }, - { - "policyDefinitionReferenceId": "632d3993-e2c0-44ea-a7db-2eca131f356d", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", - "definitionVersion": "1.*.*", - "parameters": {}, - "groupNames": [ - "ACAT_Security_Policies" - ] - }, { "policyDefinitionReferenceId": "b3248a42-b1c1-41a4-87bc-8bad3d845589", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b3248a42-b1c1-41a4-87bc-8bad3d845589", @@ -110,24 +101,6 @@ "ACAT_Security_Policies" ] }, - { - "policyDefinitionReferenceId": "3810e389-1d92-4f77-9267-33bdcf0bd225", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3810e389-1d92-4f77-9267-33bdcf0bd225", - "definitionVersion": "1.*.*", - "parameters": {}, - "groupNames": [ - "ACAT_Security_Policies" - ] - }, - { - "policyDefinitionReferenceId": "2454bbee-dc19-442f-83fc-7f3114cafd91", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2454bbee-dc19-442f-83fc-7f3114cafd91", - "definitionVersion": "1.*.*", - "parameters": {}, - "groupNames": [ - "ACAT_Security_Policies" - ] - }, { "policyDefinitionReferenceId": "32e6bbec-16b6-44c2-be37-c5b672d103cf", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", @@ -191,51 +164,6 @@ "ACAT_Security_Policies" ] }, - { - "policyDefinitionReferenceId": "f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf", - "definitionVersion": "1.*.*", - "parameters": {}, - "groupNames": [ - "ACAT_Security_Policies" - ] - }, - { - "policyDefinitionReferenceId": "f516dc7a-4543-4d40-aad6-98f76a706b50", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", - "definitionVersion": "1.*.*", - "parameters": {}, - "groupNames": [ - "ACAT_Security_Policies" - ] - }, - { - "policyDefinitionReferenceId": "6484db87-a62d-4327-9f07-80a2cbdf333a", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", - "definitionVersion": "1.*.*", - "parameters": {}, - "groupNames": [ - "ACAT_Security_Policies" - ] - }, - { - "policyDefinitionReferenceId": "711c24bb-7f18-4578-b192-81a6161e1f17", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", - "definitionVersion": "1.*.*", - "parameters": {}, - "groupNames": [ - "ACAT_Security_Policies" - ] - }, - { - "policyDefinitionReferenceId": "610b6183-5f00-4d68-86d2-4ab4cb3a67a5", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", - "definitionVersion": "1.*.*", - "parameters": {}, - "groupNames": [ - "ACAT_Security_Policies" - ] - }, { "policyDefinitionReferenceId": "fe83a0eb-a853-422d-aac2-1bffd182c5d0", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", @@ -247,6 +175,7 @@ } ], "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_Banks_v2016.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_Banks_v2016.json index 72ec632f2..e42f65341 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_Banks_v2016.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/RBI_ITF_Banks_v2016.json @@ -4,11 +4,11 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address a subset of Reserve Bank of India IT Framework for Banks controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/rbiitfbanks-initiative.", "metadata": { - "version": "1.11.0-preview", + "version": "1.12.0-preview", "category": "Regulatory Compliance", "preview": true }, - "version": "1.11.0-preview", + "version": "1.12.0-preview", "policyDefinitionGroups": [ { "name": "RBI_CSF_Banks_v2016_9.1", @@ -620,27 +620,29 @@ "type": "String", "metadata": { "displayName": "Effect for policy: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway", - "description": "The effect determines what happens when the policy rule is evaluated " + "description": "The effect determines what happens when the policy rule is evaluated ", + "deprecated": true }, "allowedValues": [ "Audit", "Disabled", "Deny" ], - "defaultValue": "Audit" + "defaultValue": "Disabled" }, "effect-a58ac66d-92cb-409c-94b8-8e48d7a96596": { "type": "String", "metadata": { "displayName": "Effect for policy: Azure firewall policy should enable TLS inspection within application rules", - "description": "The effect determines what happens when the policy rule is evaluated " + "description": "The effect determines what happens when the policy rule is evaluated ", + "deprecated": true }, "allowedValues": [ "Audit", "Deny", "Disabled" ], - "defaultValue": "Audit" + "defaultValue": "Disabled" }, "evaluatedSkuNames-af35e2a4-ef96-44e7-a9ae-853dd97032c4": { "type": "Array", @@ -2557,20 +2559,6 @@ "RBI_CSF_Banks_v2016_6.4" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", - "definitionVersion": "1.*.*", - "policyDefinitionReferenceId": "632d3993-e2c0-44ea-a7db-2eca131f356d", - "parameters": { - "effect": { - "value": "[parameters('effect-632d3993-e2c0-44ea-a7db-2eca131f356d')]" - } - }, - "groupNames": [ - "RBI_CSF_Banks_v2016_6.7", - "RBI_CSF_Banks_v2016_4.3" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", "definitionVersion": "2.*.*", @@ -2593,19 +2581,6 @@ "RBI_CSF_Banks_v2016_19.4" ] }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", - "definitionVersion": "1.*.*", - "policyDefinitionReferenceId": "a58ac66d-92cb-409c-94b8-8e48d7a96596", - "parameters": { - "effect": { - "value": "[parameters('effect-a58ac66d-92cb-409c-94b8-8e48d7a96596')]" - } - }, - "groupNames": [ - "RBI_CSF_Banks_v2016_4.3" - ] - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be", "definitionVersion": "1.*.*", @@ -2721,6 +2696,7 @@ } ], "versions": [ + "1.12.0-PREVIEW", "1.11.0-PREVIEW", "1.10.0-PREVIEW", "1.9.0-PREVIEW", diff --git a/built-in-policies/policySetDefinitions/Regulatory Compliance/Spain_ENS.json b/built-in-policies/policySetDefinitions/Regulatory Compliance/Spain_ENS.json index 13278bcdf..8dc0d51c6 100644 --- a/built-in-policies/policySetDefinitions/Regulatory Compliance/Spain_ENS.json +++ b/built-in-policies/policySetDefinitions/Regulatory Compliance/Spain_ENS.json @@ -4,10 +4,10 @@ "policyType": "BuiltIn", "description": "This initiative includes policies that address National Security Scheme (ENS) controls specifically for the 'CCN-STIC 884'. This policy set includes definitions that have a Deny effect by default.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Regulatory Compliance" }, - "version": "1.0.0", + "version": "1.1.0", "policyDefinitionGroups": [ { "name": "org.1 Security policy", @@ -10646,22 +10646,6 @@ ], "definitionVersion": "1.*.*" }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3810e389-1d92-4f77-9267-33bdcf0bd225", - "policyDefinitionReferenceId": "WindowsMachinesShouldScheduleWindowsDefenderToPerformAScheduledScanEveryDay", - "parameters": { - "IncludeArcMachines": { - "value": "[parameters('IncludeArcMachines-AllowedValuesMustBeInUpperCase')]" - }, - "effect": { - "value": "[parameters('effect-EnableRelatedResourceAuditingByDefaultOrDisablePolicy')]" - } - }, - "groupNames": [ - "op.exp.6 Protection against harmful code" - ], - "definitionVersion": "1.*.*" - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", "policyDefinitionReferenceId": "ConfigureAzureDefenderForOpen-sourceRelationalDatabasesToBeEnabled", @@ -13701,34 +13685,6 @@ ], "definitionVersion": "1.*.*" }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", - "policyDefinitionReferenceId": "FirewallPolicyPremiumShouldEnableAllIdpsSignatureRulesToMonitorAllInboundAndOutboundTrafficFlows", - "parameters": { - "effect": { - "value": "[parameters('effect-AuditNonCompliantResourcesByDefaultOrDenyResourceRequestOrDisablePolicy')]" - } - }, - "groupNames": [ - "op.mon.1 Intrusion detection", - "mp.com.1 Secure perimeter" - ], - "definitionVersion": "1.*.*" - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", - "policyDefinitionReferenceId": "FirewallPolicyPremiumShouldEnableTheIntrusionDetectionAndPreventionSystem(idps)", - "parameters": { - "effect": { - "value": "[parameters('effect-AuditNonCompliantResourcesByDefaultOrDenyResourceRequestOrDisablePolicy')]" - } - }, - "groupNames": [ - "op.mon.1 Intrusion detection", - "mp.com.1 Secure perimeter" - ], - "definitionVersion": "1.*.*" - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b", "policyDefinitionReferenceId": "MicrosoftManagedControl1690-InformationSystemMonitoring|System-wideIntrusionDetectionSystem", @@ -13751,20 +13707,6 @@ ], "definitionVersion": "1.*.*" }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", - "policyDefinitionReferenceId": "BypassListOfIntrusionDetectionAndPreventionSystem(idps)ShouldBeEmptyInFirewallPolicyPremium", - "parameters": { - "effect": { - "value": "[parameters('effect-AuditNonCompliantResourcesByDefaultOrDenyResourceRequestOrDisablePolicy')]" - } - }, - "groupNames": [ - "op.mon.1 Intrusion detection", - "mp.com.1 Secure perimeter" - ], - "definitionVersion": "1.*.*" - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233", "policyDefinitionReferenceId": "SecurityCenterStandardPricingTierShouldBeSelected", @@ -14532,33 +14474,6 @@ ], "definitionVersion": "1.*.*" }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", - "policyDefinitionReferenceId": "WebApplicationFirewall(waf)ShouldEnableAllFirewallRulesForApplicationGateway", - "parameters": { - "effect": { - "value": "[parameters('effect-AuditNonCompliantResourcesByDefaultOrDenyResourceRequestOrDisablePolicy')]" - } - }, - "groupNames": [ - "mp.com.1 Secure perimeter", - "mp.s.3 Protection of web browsing" - ], - "definitionVersion": "1.*.*" - }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", - "policyDefinitionReferenceId": "AzureFirewallPremiumShouldConfigureAValidIntermediateCertificateToEnableTlsInspection", - "parameters": { - "effect": { - "value": "[parameters('effect-AuditNonCompliantResourcesByDefaultOrDenyResourceRequestOrDisablePolicy')]" - } - }, - "groupNames": [ - "mp.com.1 Secure perimeter" - ], - "definitionVersion": "1.*.*" - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77e8b146-0078-4fb2-b002-e112381199f0", "policyDefinitionReferenceId": "VirtualNetworkFirewallRuleOnAzureSqlDatabaseShouldBeEnabledToAllowTrafficFromTheSpecifiedSubnet", @@ -14611,19 +14526,6 @@ ], "definitionVersion": "1.*.*" }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", - "policyDefinitionReferenceId": "AzureFirewallPolicyShouldEnableTlsInspectionWithinApplicationRules", - "parameters": { - "effect": { - "value": "[parameters('effect-AuditNonCompliantResourcesByDefaultOrDenyResourceRequestOrDisablePolicy')]" - } - }, - "groupNames": [ - "mp.com.1 Secure perimeter" - ], - "definitionVersion": "1.*.*" - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc", "policyDefinitionReferenceId": "ConfigureKeyVaultsToEnableFirewall", @@ -14744,19 +14646,6 @@ ], "definitionVersion": "1.*.*" }, - { - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf", - "policyDefinitionReferenceId": "SubscriptionShouldConfigureTheAzureFirewallPremiumToProvideAdditionalLayerOfProtection", - "parameters": { - "effect": { - "value": "[parameters('effect-EnableRelatedResourceAuditingByDefaultOrDisablePolicy')]" - } - }, - "groupNames": [ - "mp.com.1 Secure perimeter" - ], - "definitionVersion": "1.*.*" - }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c", "policyDefinitionReferenceId": "[preview]:AllInternetTrafficShouldBeRoutedViaYourDeployedAzureFirewall", @@ -15405,6 +15294,7 @@ } ], "versions": [ + "1.1.0", "1.0.0" ] },